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Preface 



ASIACRYPT’98, the international conference covering all aspects of theory and 
application of cryptology and information security, is being held at Beijing Friendship 
Hotel from October 18 to 22. This is the fourth of the Asiacrypt conferences. 
ASIACRYPT’98 is sponsored by the State Key Laboratory of Information Security 
(SKLOIS), University of Science and Technology of China (USTC), and the Asiacrypt 
Steering Committee (ASC), in cooperation with the International Association for 
Cryptology Research (lACR). 

The 16-member Program Committee organized the scientific program and 
considered 118 submissions. Of these, 32 were accepted for presentation. The authors’ 
affiliations of the 118 submissions and the 32 accepted papers range over 18 and 13 
countries or regions, respectively. 

The submitted version of each paper was sent to all members of the Program 
Committee and was extensively examined by at least three committee members and/or 
outside experts. The review process was rigorously blinded and the anonymity of each 
submission are maintained until the selection was completed. We followed the 
traditional policy that each member of the Program Committee could be an author of at 
most one accepted paper. 

These proceedings contain the revised versions of the 32 contributed talks as well 
as a short note written by one invited speaker. Comments from the Program Committee 
were taken into account in the revisions. However, the authors (not the committee) bear 
full responsibility for the contents of their papers. 

We are very grateful to the members of the Program Committee for generously 
spending so much of their time on the difficult task of selecting the papers. They are: 
Thomos A. Berson, Colin Boyd, Zongduo Dai, Marc Girault, Xuejia Lai, Tzonelih 
Hwang, Burt Kaliski, Kwangjo Kim, Kouichi Sakurai, Mitsuru Matsui, Andrew 
Odlyzko, Guozhen Xiao, Lam Kwok Yan, Yuliang Zheng. We also thank the following 
outside experts who assisted the Program Committee in evaluating various papers: 
Masayuki Abe, Kazumaro Aoki, Fabrice Boudot, Dengguo Feng, Atsushi Fujioka, 
Eiichiro Fujisaki, Henri Gilbert, Louis Goubin, Shaoquan Jiang, Masayuki Kanda, 
Shiho Moriai, Tatsuaki Okamoto, Haiwen Ou, Jacques Patarin, Philippe Toffin, Jacques 
Traore, Shigenori Uchiyama, Yujie Zhou, Moti Yung, We apologize for any omission 
in this list. 

We would like to appreciate all who have submitted papers to ASIACRYPT’98 
and the authors of accepted papers for their on-time preparation of camera-ready 
manuscripts. 

We are also pleased to thank Shu Chang and Chen Lan for their help with 
preparation of the various tasks of the program co-chairs. 



August 1998 



Kazuo Ohta 
Dingyi Pei 
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Generating RSA Moduli with a Predetermined Portion 



Arjen K. Lenstra 

Citibank, N.A., 4 Sylvan Way, Parsippany, NJ 07054, U.S.A. 
arjen.lenstra@citicorp.com 



Abstract. This paper reviews and generalizes a method to generate RSA 
moduli with a predetermined portion. The potential advantages of the resulting 
methods are discussed: both the storage and the computational requirements of 
the RSA cryptosystem can be considerably reduced. The constructions are as ef- 
ficient as generation of regular RSA moduli, and the resulting moduli do not 
seem to offer less security than regular RSA moduli. 



1 Introduction 

In [18] Vanstone and Zuccherato presented several methods to generate RSA moduli 
that contain a certain predetermined portion. They describe scenarios where such 
moduli may he useful hy reducing the storage requirements of RSA moduli without 
compromising security. For instance, all members of a group of users may share some 
fixed number of bits of their RSA moduli, or users may want to include a binary rep- 
resentation of their personal data in their RSA modulus. For DSA keys with a prede- 
termined portion see [13]. 

For an N-bit RSA modulus Vanstone and Zuccherato are able to specify up to N/2 
leading bits. Their method for doing so is, however, quite inefficient. They also pres- 
ent a faster method that allows specification of up to N/4 leading bits, and a compro- 
mise scheme of intermediate speed that specifies between N/4 and N/2 leading bits. 
All these methods are rather cumbersome and require factorization of the number 
given by the specified leading bits. A more serious disadvantage of the leading bits 
methods from [18] is that Coppersmith has shown in [12] that the resulting moduli are 
substantially easier to factor than a general product of two large primes. 

Perhaps the most surprising aspect of the Vanstone/Zuccherato method is why they 
chose such a complicated method and apparently overlooked the obvious and straight- 
forward trick that is reviewed in this paper. Not only is it elementary, it also does not 
seem to be affected by any known attack. This ‘follow your nose’ approach was 
known to at least some people, among them Coppersmith (cf. [3]), Quisquater (cf. 
[12]), and Shamir (cf. [16]), but most people, including the present author, were un- 
aware of it. Allegedly (cf. [12]), it is used in a 1984 French banking standard. At- 
tempts to access the reference [9] to this standard failed. Sakurai pointed out that the 
method is described in [19] for a different application. Apparently, the trick was inde- 
pendently reinvented many times, which is not so strange given how simple it is. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 1-10, 1998. 
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The method presented in this paper allows generation of RSA moduli with any 
number of predetermined leading bits, with the fraction of specified bits only limited 
by security considerations. The basic method is as efficient as regular generation of 
RSA moduli. Several generalizations are described as well: a slower version that al- 
lows specification of slightly more bits, a method to specify any number of trailing 
bits, and combined methods where the specified bits are split among the leading and 
trailing bits of the modulus. In all methods ‘bits’ may be replaced by digits with re- 
spect to any radix. The method to specify trailing bits is a simple modification of the 
basic method. It was already described in [18] and is included for completeness. 

Coppersmith’s attack does not affect any of the methods presented here (and there- 
fore neither the security of the Vanstone/Zuccherato trailing bits method). Neither 
does any other known attack seem to affect the security of the moduli as generated by 
the methods presented here. Obviously that does not imply a proof of security. It can 
be proved that for a randomly selected predetermined portion the resulting moduli 
cannot be distinguished from regular RSA moduli. This is about the strongest security 
result one may hope for in this context. Proving absolute security of the schemes 
themselves is an entirely different matter. Such a proof is unlikely. Some confidence 
in the strength of the methods may be provided by the fact that several eminent cryp- 
tanalists have been aware of the basic method for many years without being able to 
break it. 

More or less the opposite approach to randomly selecting a predetermined portion 
is to select it in such a way that the resulting moduli are relatively close to a power 
of 2. According to [12] both Quisquater and the French banking standard focussed on 
this particular application, because it allows entirely division-free and thus much faster 
modular multiplication. Intuitively it sounds like a bad idea, but when a few straight- 
forward precautions are taken no published factoring method can take substantial 
advantage of the special form of the modulus. Both in the May 1998 draft of the forth- 
coming ANSI X9.31 standard (cf. [1]) and in [17] it is mentioned that RSA moduli of 
the form 2“’‘+c should not be used because they would be ‘readily susceptible’ to the 
special version of the number field sieve integer factoring algorithm. Neither [1] nor 
[17] specify how such moduli are generated, but if one of the methods presented in 
this paper is used, then they are not vulnerable to such an attack. 

The X9.31 standard contains a number of criteria to be satisfied by primes dividing 
an RSA modulus. Some of these criteria make sense and can easily be satisfied, either 
by construction or by rejecting the (sufficiently small) fraction of moduli that violate 
one of the criteria. Other criteria are meant to protect against certain attacks but do, in 
fact, not offer any additional protection and provide only a false and misleading sense 
of security. Attempts to satisfy these latter criteria simply do not make sense, as ar- 
gued in [15] as well. Therefore, the X9.31 criteria have not been incorporated in the 
methods presented in this paper. It should be kept in mind, however, that incorporation 
is possible and that in practical circumstances some of the criteria will have to be 
taken into account. 

This paper is organized as follows. In Section 2 the basic method and its generali- 
zations are presented. Section 3 comments on the security of the proposed methods, 
and in Section 4 RSA moduli that are relatively close to a power of 2 are discussed. 
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2 Generating RSA Moduli with a Predetermined Portion 

Throughout this section d £ Z^j denotes a fixed radix. A digit refers to a digit in the 
radix d representation. For a positive integer r its length Irl refers to the length of r’s 
radix d representation with non-zero leading digit. 

The length of the RSA modulus n to be constructed is denoted by N, the length of 
the predetermined portion s of n is denoted by K with K < N, and L = N-K. The con- 
catenation of two arrays of digits aj and a„ is denoted ajla,,. In this section methods are 
presented to construct RSA moduli with radix d representation sllr, rlls, and s,llrlls„, 
where r is an array of L digits and s = sjls,,. Throughout this section it is assumed that 
N, K, and L are sufficiently large. 

(2.1) Fixing the leading digits of n. Let s be a number of length K. First compute the 
number n' = s*d^ of length N. Next, pick a random prime p of length at most L, round 
n' up to the nearest multiple of p, and let q’ be the integer such that n' = p*q'. Finally, 
find the smallest non-negative integer m such that q = q' H- m is prime. If the resulting 
n = p*q is of the form sllr, then return n, p, and q, and terminate; otherwise start all 
over again with the same s. 

Remarks. Note that [p*q7d^] = s and that n = sllr, i.e., [n/d^] = [p*(q'H-m)/d^] = s, 
holds if p-l-tm*p < d'" (where the ‘p-1’ results from the rounding up). Because of the 
Prime Number Theorem, m may on average be expected to be of order In(N-lpl). It 
follows that if p is chosen such that Ipl is approximately equal to L-ln(K), then Algo- 
rithm (2.1) may be expected to find an RSA modulus in time 0(ln(L)H-ln(K)): 
0(ln(L)) steps to find a random p and 0(ln(K)) to find q given q'. This is the same as 
the expected time needed for regular generation of an RSA modulus of length N con- 
sisting of the product of a length L and a length K prime. 

If Ipl is chosen closer to L (or, equivalently, if the length of s is chosen larger while 
keeping Ipl fixed) then Algorithm (2.1) may be expected to require more iterations 
before it is successful. The largest Ipl (or, equivalently, largest Isl) would require q' to 
be prime, in which case Algorithm (2.1) may be expected to find an RSA modulus in 
time 0(ln(L)*ln(K)). This is of course substantially slower than regular RSA modulus 
generation, but maximizes the length of the predetermined portion as N-lpl. 

If L-lpl is chosen larger, then q can be chosen at random from among the primes in 
a much wider range above q’. Obviously, for random s, this makes q much closer to a 
random prime than is the case in Algorithm (2.1). 

The number n' may also be defined as s*d^H-d^-l, rounded down instead of up, af- 
ter which the smallest non-negative m such that q'-m is prime should be determined. 
Or the last L digits of n' may be randomized in either version. Also, truly random 
digits may be appended to s, or p may be the product of several (sufficiently large) 
primes. Or any of numerous other minor modifications may be applied to Algorithm 

(2.1) . Note that Algorithm (2.1) does not impose any size restrictions on p and q in 
addition to the standard size restrictions for factors of RSA moduli. 
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A similar straightforward construction can be used to fix the trailing digits of n. In- 
stead of dividing the (shifted) pattern by a random prime and appropriately changing 
the trailing digits, the pattern may be divided by a random prime modulo a power of 
the radix, after which the leading digits are changed appropriately. The resulting 
method is identical to the method in Section 7 of [18]: 

(2.2) Fixing the trailing digits of n. Let s be an array of K digits that corresponds to 
an odd number (where s may have leading digits zero). First pick a random prime p of 
length at most L, and a random number x of length L-lpl. Next, let q’ = x*d’^ + ((s/p) 
mod d"^) and let n’ = p*q’. Finally, find the smallest non-negative integer m such that q’ 
+ m*d’^ is prime, and let q be q’ H- m*d’^. If the resulting n = p*q has length N, then 
return n, p, and q, and terminate; otherwise start all over again with the same s. 

Remarks. The inverse of p modulo d"^ exists since p is prime and d may be assumed to 
be much smaller than p. Furthermore, In’l = K-tL-lpl-tlpI = N and n mod d"^ = p*(q’-H 
m*d'^) mod d"^ = p*(x*d’^ ((s/p) mod d"^)) mod d"^ = s mod d"^ = s. The resulting n has 

length at most N as long as m is not too large. Combined with the fact that the Prime 
Number Theorem also holds in arithmetic progressions it follows that the run time 
analysis of Algorithm (2.2) is similar to the run time analysis of Algorithm (2.1). Also, 
more or less the same modifications can be applied. 

Algorithms (2.1) and (2.2) can be combined into at least two different methods to 
predetermine leading and trailing portions of the digits of an RSA modulus. The con- 
ceptual ideas of the two methods are presented below. Let s = Sjlls„ with Is, I = K,, ls„l = 
K,,, K = K,+K„, s„ odd if K„ > 0, and assume that N = 2K. The constructions immedi- 
ately generalize to any N > 2K. In general N < 2K cannot be achieved, i.e., at most 
half the bits of the resulting modulus can be predetermined. 

(2.3) Fixing the leading and trailing digits of n. Pick a random prime p of length K, 
and write p = p,llp,, with Ip, I = K, and lp„l = K„. As in Algorithm (2.1) divide s, by p, to 
get q,, the leading K, digits of q. As in Algorithm (2.2) divide s„ by p„ modulo d’^to get 
q„, the trailing K„ digits of q. Let q’ = q,llq„. Find the smallest non-negative integer m 
such that q’H-m*d’^'is prime, and let q = q’H-m*d’^'. 

(2.4) Alternative (slow) method of fixing the leading and trailing digits of n. Pick a 
number p, at random with Ip, I = K,, the leading K, digits of p. As in Algorithm (2.1) 
divide s, by p, to get q,, the leading K, digits of q. Pick an array q„ of K„ random digits, 
the trailing K„ digits of q. As in Algorithm (2.2) divide s„ by q„ modulo d*^' to get p„, 
the trailing K„ digits of p. Iterate choice of q„ (or add 1 to q„ and adapt p„ accordingly) 
until p = p,llpo and q = q,llq„ are prime. 

Remarks. In both (2.3) and (2.4) the resulting n = p*q has trailing K„ digits equal to s„ 
and leading K, digits close to s,. The leading K, digits can be made equal to s, by in- 
cluding breathing space after the K,-th but before the K„-th digit, similar to the con- 
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struction explained in the analysis of Algorithm (2.1). The details can he filled in 
easily. 

Algorithm (2.3) runs in expected time 0(ln(K)): p is selected first after which q 
follows, as in Algorithms (2.1) and (2.2). In Algorithm (2.4) parts of p and q are se- 
lected at random, after which the complementary parts follow. Because the primes are 
constructed simultaneously Algorithm (2.4) runs in expected time 0(ln(K)^). It is 
unclear if the approach of spreading the randomness between the two factors as in 
Algorithm (2.4) has any advantages compared to the more direct approach of Algo- 
rithm (2.3). With K„ = 0 Algorithm (2.3) generalizes to Algorithm (2.1) with N = 2K, 
and with K, = 0 Algorithm (2.3) generalizes to Algorithm (2.2) with N = 2K. 

The lengths of p and q do not have to be the same, as follows from the following 
generalized version of Algorithm (2.3). 

Pick a random prime p of length L (L = N-K), and write p = p,llp„ with Ip, I = L, 
and lp„l = L„. As in Algorithm (2.1) divide Sjd'"' by p, to get q,, the leading K, 
digits of q. As in Algorithm (2.2) divide s„ by p„ modulo d’^to get q„, the trailing 
K„ digits of q. Let q = q,llq,,. Keep adding d"^ to q until q is prime. 

A similar change applies to Algorithm (2.4). In both generalizations at most half the 
bits of the resulting modulus can in general be predetermined. 



3 Security Considerations 

During regular generation of RSA moduli two primes, say p and q, are randomly and 
independently selected, and their product, say n, is made public. Despite the independ- 
ence of p and q, however, the prime q is determined by p and a complementary portion 
of only [logj(n)-logj(p)] leading and/or trailing radix d digits of n, for any d > 1. In 
Algorithms (2.1), (2.2), and (2.3) the prime factor q is, by construction, determined by 
the choice of p and the predetermined portion s of complementary length. It follows 
that this situation is identical to regular RSA moduli, as long as the complementary 
portion s of the modulus is randomly selected and as long as only m = 0 is allowed in 
Algorithms (2.1), (2.2), and (2.3). (Instead of requiring m = 0, a much larger range of 
m’s may be allowed than in Algorithms (2.1), (2.2), and (2.3), to deal with the ‘unfair’ 
advantage of primes ending a long arithmetic progression of composites. Note, how- 
ever, that many efficient prime generation methods used in RSA moduli generation 
have the same bias.) A slightly more involved argument applies if portions of p and q 
are randomly selected (and s is random), as in Algorithm (2.4). Thus, if the predeter- 
mined portion is randomly selected then the moduli as constructed by the proper 
variations of the methods from Section 2 cannot be distinguished from regular RSA 
moduli. A similar argument appeared in [19]. 

Even if the predetermined portion is not randomly selected it is in general unclear 
how to distinguish any particular modulus constructed as in Section 2 from a regular 
RSA modulus. A predetermined portion that looks random to an unsuspecting outsider 
may consist of some contrived encoding of useful information, such as a key merged 
with a block cipher encryption using that key. An insider who knows the encoding 
scheme for the predetermined portion has an advantage if no precautions are taken to 
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hide the length of the factors. How this advantage may he used to factor the modulus 
is unclear, as long as none of the factors is chosen too small and p does not depend on 
the predetermined portion (as in [19]). Hiding the length of the factors may for in- 
stance be done by adding truly random bits to the predetermined portion s, as men- 
tioned in Section 2, or by forcing m as in Section 2 to be such that s gets extended, a 
modification not explicitly mentioned in Section 2. 

Once a predetermined portion has been recognized, for instance because it is shared 
by many moduli, it is hard to imagine how it would help to factor any of them, since 
anyone can generate such moduli. Furthermore, it is very unlikely that the security of a 
regular RSA modulus is affected by using one of the algorithms from Section 2 to 
generate a modulus having a large portion in common with it. Note that shared leading 
digits can easily be recognized, mostly irrespective of the d used during construction 
and the radix used for representation of the moduli. A common trailing portion may be 
harder to recognize if different radices are used during construction and representa- 
tion. One very minor problem with a shared portion is that there is a larger probability 
that two participants end up with the same modulus, but this probability is of the same 
order of magnitude that someone guesses one of the factors of an RSA modulus, and 
may thus be neglected. 

Predetermined portions that lead to special computational properties of the resulting 
moduli are discussed in the next section. 



4 Moduli of a Special Form 

Algorithm (2.1) can be used to generate RSA moduli of the form d'^if for positive t’s 
that are substantially smaller than d”. On computers where numbers are internally 
represented using radix d numbers, arithmetic operations modulo such RSA moduli 
can be carried out very efficiently because divisions can entirely be avoided. Let the 
radix d representation of t have N/c digits for some c > 1 . Then reduction modulo d”±t 
of a product of approximately 2N radix d digits can be done in approximately N/(N- 
N/c) multiplications of two numbers of N-N/c and N/c radix d digits, plus some addi- 
tions. In standard arithmetic this amounts to approximately NVc multiplications, which 
is c times faster than ordinary or Montgomery reduction (cf. [10]) modulo numbers of 
the same size. Moreover, ordinary reduction requires on the order of N low level divi- 
sions. The above division-free reduction can be expected to make modular exponen- 
tiation approximately 5c/(2ch-3) times faster, a speed-up that can be increased by using 
Karatsuba multiplication during the reduction process. 

Algorithms (2.3) or (2.4) or their generalizations can be used to generate RSA 
moduli of the form d”±td“±l with M < N/2 and Itl = N/2. As above, reduction modulo 
d”±td“ ±1 of a product of approximately 2N radix d digits can be done in approxi- 
mately NV2 multiplications. Algorithm (2.2) can be used to generate N-digit RSA 
moduli of the form td“+l . It is easy to see that such moduli lead to similar speed-ups, 
not only when using standard arithmetic but also when Montgomery arithmetic (cf. 
[10]) is used. 
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It is suggested in [1] and [17] that such special form moduli are easier to factor than 
regular RSA moduli. If that is indeed the case, then using them cannot he recom- 
mended. Below some characteristics of the currently known factoring algorithms are 
discussed and how their speed may be affected by factoring the above N-digit special 
composites as opposed to regular RSA moduli having N radix d digits. Without loss of 
generality it is assumed that d = 2 and that regular 1024-bit RSA moduli may be con- 
sidered to be sufficiently secure against factoring attacks. The question addressed is 
how small t may be chosen so that the factorization of 2““±t does not become sub- 
stantially easier than the factorization of a regular 1024-bit RSA modulus. 

Elliptic curve method. The elliptic curve method (cf. [8]) is good at finding small 
factors, with only polynomial dependence on the size of the number being factored. 
Given ample practical experience with this method it may safely be assumed that 
2'”‘‘±t cannot be factored by the elliptic curve method as long as the smallest factor is 
at least 2*°, even if the implementation takes advantage of the special arithmetic prop- 
erties of the number 2““±t being factored. Because in Algorithm (2.1) the size of t 
corresponds to the size of one of the factors it follows that t should be at least 2^” and 
at most 

Other special purpose methods. With a smallest prime factor that is already at least 
2*° it may safely be assumed that 2'”‘'±t is secure against trial division and Pollard’s 
rho method, and may be expected to be secure against Pollard’s p-1 method and 
variations thereof (cf. [6]). Since the size of t corresponds to the size of the factor p 
that is randomly selected at the beginning of Algorithm (2.1), explicit protection 
against the latter methods may even be included (despite [15] and the author’s reser- 
vations about such protections). 

Number field sieve. If 2““±t can be written as f(m) for an integer m and integral 
polynomial f of reasonably low degree d, say between 3 and 10, and with coefficients 
substantially smaller than the d-th or (d-Hl)-st root of n, then the number field sieve 
(cf. [7]) runs substantially faster than for general 1024-bit numbers. Actually, if the 
coefficients are bounded by constants the much faster ‘special’ number field sieve 
applies. Note that all coefficients need to be small to get a substantial speed-up - as 
long as even one of them is close to the d-th or (d-i-l)-st root of n hardly any speed-up 
will be obtained. For 2““±t with a t that may be expected to behave as a random num- 
ber of at least 300 bits the probability is negligible that such a polynomial f with un- 
usually small coefficients exists. Thus the number field sieve cannot be expected to 
factor numbers of the form 2““±t (as generated by Algorithm (2.1)) faster than regular 
1024-bit RSA moduli, if the number 2'”‘'±t is already properly protected against the 
elliptic curve method. 

Quadratic sieve. In the quadratic sieve factoring method (cf. [14]) one attempts to 
find many smooth numbers close to the square root of the number being factored, 
where a number is smooth when all its prime factors are smaller than some specified 
bound. Given the way the numbers that are inspected for smoothness are generated. 
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their size or smoothness probability is not affected by the special form of 2'”‘'±t. Thus 
quadratic sieve cannot be expected to factor numbers of the form 2““±t faster than 
regular 1024-bit RSA moduli. 

Continued fraction method. The continued fraction method (cf. [11]) uses the con- 
tinued fraction expansion of the squareroot of the number n being factored to generate 
numbers that are inspected for smoothness. In general these numbers are at most 2Vn. 
The recursion used to generate them does not produce numbers of significantly differ- 
ent size if n is of the form 2““+t. The continued fraction method can therefore not be 
expected to be able to take advantage of the special form of 2'”‘'±t. 

Cubic sieve. If integers a, b, c, can be found such that b^ ^ a^c and b^ = a^c modulo 
21024 j_t ^ similar identity holds), then 2'”‘'+t can be factored by means of the cubic 
sieve (cf. [4]) in approximately the same time it would take quadratic sieve to factor a 
general number of the same order of magnitude as (max(a,b,c))^. Thus, the identity 
2 *(2^“")^ = ±t modulo 2““±t may make it possible to factor 2““±t in the same time it 
would take quadratic sieve to factor a number of order max(2“^,t^), assuming that t is 
square-free. It should be noted that this estimate is probably rather optimistic as far as 
the speed of the cubic sieve is concerned, because computational experience with the 
cubic sieve is very limited. For a conservative estimate of the security of 2““±t this 
optimism is justifiable. 

The number field sieve factorization of a number = 10'“ could have been com- 
pleted in one fifth of the time of the quadratic sieve factorization of a number = lO'^^ 
(cf. [5]). Combining this conservative estimate with the asymptotic run times of the 
number field sieve and quadratic sieve, it follows that a 780-bit number offers ap- 
proximately the same amount of security against a quadratic sieve attack as a 1024-bit 
number offers against a number field sieve attack. Thus, for square-free t, the security 
of 2'”‘'+t is not affected by the cubic sieve if max(2“^,t^) = 2 ™. It follows that t should 
be of the form a\’ where t’ has at least approximately 390 bits and is square-free. This 
condition either can be satisfied by factoring (and possibly rejecting) a 390-bit t as 
found by Algorithm (2.1), a rather impractical and cumbersome process, or it may 
safely be assumed to hold on probabilistic grounds by using a larger t of, say, 500 bits. 

Zhang’s method. If 2'““±t can be written as m^c^m^Cjm-i-c,,, then the method from 
[20] factors 2'““±t in approximately the same time it would take quadratic sieve to 
factor a general number of the same order of magnitude as 2‘’*^*max„^jj2Ci- Because 
vulnerability to this method implies vulnerability to the number field sieve, no speed- 
up can be expected if the number 2'”“±t is already properly protected against the ellip- 
tic curve method. 

Other general pnrpose factoring methods. There do not seem to be any special 
properties of any other published general purpose factoring algorithms, such as 
Dixon’s random squares method or the various methods using class groups, that may 
affect the security of numbers of the form 2““±t with, say, 2™“ < t < 2 ™ as constructed 
by Algorithm (2.1). 
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Conclusion. It follows from the above brief factoring survey that numbers of the form 
2'”‘'+t as constructed by Algorithm (2.1) offer regular 1024-bit RSA security, as long 
as t is not much smaller than 2™“, and that square-free t’s as small as 400 bits may 
even be used. Furthermore, t should not be much bigger than 2^”. Thus RSA opera- 
tions could be made at least 30% faster (using the analysis presented above with c = 
2), while at the same time considerably simplifying the division code and saving stor- 
age space for RSA moduli. These are a rather minor advantages compared to the 
enormous disadvantage of a security breach when the above conclusion happens to be 
incorrect. 

After some straightforward modifications the same factoring analysis (and thus the 
same conclusion) applies to the special form moduli generated using Algorithms (2.2), 
(2.3), or (2.4). 
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Abstract. At Crypto’97 Boneh and Franklin proposed a protocol to 
efficiently generate shared RSA keys. In the case of two parties, the 
drawback of their scheme is the need of an independent third party. 
Furthermore, the security is guaranteed only if the three players follow 
the protocol. In this paper, we propose a protocol that enables two parties 
to evaluate any algebraic expression, including an RSA modulus, along 
the same lines as in the Boneh-Franklin protocol. Our solution does not 
need the help of a third party and the only assumption we make is 
the existence of an oblivious transfer protocol. Furthermore, it remains 
robust even if one of the two players deviates from the protocol. 



1 Introduction 

The general problem of private multi-party computation has motivated many so- 
lutions for ten years. In 1986, Yao m proved the existence of secure two-party 
protocols assuming the computational intractability of factoring large integers. 
Goldreich, Micali and Wigderson m generalized this result and showed that 
trapdoor functions enable to evaluate any function whose inputs are privately 
owned by the parties, provided a majority of them is honest. The next year, 
Ben-Or, Goldwasser and Wigderson j2j and independently Ghaum, Grepeau and 
Damgard jS| solved the same problem under an information-theoretic approach. 
Then, many papers improved the needed assumptions m, the theoretical bo- 
unds for subclasses of functions 0 or the simplicity and the efficiency of the 
methods m- 

The aim of all those papers is to solve any multi-party computation pro- 
blem. Accordingly the first step is always the description of the function to be 
privately evaluated as a logical circuit or as a polynomial over a finite field. This 
enables to reduce the problem to a very small set of elementary protocols, like 
the computation of the logical AND of two bits, at the cost of polynomial but 
unpractical solutions. Gonsequently, even if the problem of multi-party compu- 
tation is theoretically solved, the design of more specific but also more efficient 
protocols appears necessary. 

Boneh and Franklin 0 followed this “application oriented” approach to solve 
the problem of generating shared RSA keys. More precisely, some parties want to 
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jointly generate an RSA modulus N = pq where p and q are prime in such a way 
that, at the end of the computation, the parties are convinced that N is indeed 
a product of two large primes but none of them knows its factorization. They 
use the general protocol of Ben-Or, Goldwasser and Wigderson |5| to prove that 
the distributed computation of N by two parties can be efficiently done with the 
help of a third party, assuming the three players do not collude and follow the 
protocol. They also prove that the test N = pq with p and q two prime numbers 
can be efficiently done by two honest parties alone, using a clever probabilistic 
algorithm variant of the Miller-Rabin and the Solovay-Strassen ones, under the 
assumption that the quadratic residuosity problem is computationally hard to 
solve. Finally, they show how two parties can generate shared secret keys, by 
themselves for small public exponents and with the help of a third party in the 
general case. An experimental evaluation of the performance can be found in 
m- It shows that a 1024-bit modulus N can be generated in only 10 minutes 
with Sparc 20 machines. 

Independently Cocks |U)I1 1) has proposed another solution for the same pro- 
blem that only involves two honest players but assuming the computational 
intractability of a problem weaker than RSA. This protocol is analyzed and 
improved in P]. 

More recently, Frankel, MacKenzie and Yung have improved the security 
of the Boneh-Franklin protocol. Their generation scheme is efficient and robust 
even when a minority of parties are malicious. But in the case of only two parties, 
both of them have to be honest. 



Our Results 

For many applications, the protocol of Boneh and Franklin does not provide 
an accurate level of security for two reasons. Firstly, it needs an independent 
and honest third party. Secondly, the security is guaranteed only if the three 
players do not deviate from the protocol. In this paper, we show how two parties 
can efficiently generate shared RSA keys even if one of them is dishonest. From 
a theoretical point of view, we only assume the existence of oblivious transfer 
protocols. 

From a practical point of view, our scheme is less efficient than the Boneh- 
Franklin protocol based on the Ben-Or, Goldwasser and Wigderson construction 
P] which is itself based on arithmetical computation in finite fields. Anyway our 
protocol is much more efficient, especially when we focus on the number of rounds 
of communication, than those derived from general techniques. 

The paper is organized as follows: we first recall the notion of an ANDOS 
protocol. Then we propose an efficient and general protocol for the distributed 
evaluation of algebraic expressions by two parties. We prove its security when 
the players are honest but also its robustness when one of them is malicious. 
Then, we use this protocol to generate shared RSA keys. Finally we compare 
the efficiency of our scheme with general 2-party computation protocols. We also 
propose in an appendix another solution, much more simple and efficient but less 
general, based on the higher residue cryptosystem of Naccache and Stern pg. 
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All-or Nothing Disclosure of Secrets Protocols 



Oblivious transfer has been introduced in 1981 by Rabin m and a specific 
version, namely the oblivious transfer of one bit out of two d, soon emerged 
as a very useful cryptographic primitive for many applications HH|. Brassard, 
Crepeau and Robert generalized this notion in various natural ways [Z| and they 
proved the equivalence of those protocols in an information theoretic sense p). 

All-or Nothing Disclosure of Secrets (ANDOS) protocols 0 address the fol- 
lowing problem: a merchant has n secret bit-strings and wishes to sell one of 
them to a buyer who has the ability to choose which one he wants. There are 
two privacy requirements: the merchant does not want the buyer to obtain in- 
formation about any other secret and the buyer does not want the merchant to 
learn anything about the string he has chosen. 

Oblivious transfer, and consequently ANDOS, can be based on various as- 
sumptions like the existence of trapdoor functions of noisy channels m or 
of quantum channels |^. From a practical point of view, efficient implementation 
can be based on the quadratic residuosity problem or on the Diffie-Hellman 
assumption [ipij . 

In this paper we use ANDOS as a cryptographic primitive. In order to for- 
malize its properties, let us consider that Alice sells a secret to Bob. Using the 
terminology of we define the view of Alice to be everything she sees during 
the execution of the protocol. Let View a be the random variable whose value 
is this view. It depends on the secrets Si, ...s„ sold by Alice, on the index is of 
the secret bought by Bob and on the random tape wa of Alice considered as a 
polynomial time Turing machine. We also use the three well-known notions of 
indistinguishability of random variables: the perfect one, the statistical one and 
the computational one (see m for complete definitions). In the paper, we just 
talk about indistinguishability without any other precision for simplicity reasons 
but all the definitions and proofs hold in the three models and the choice of one 
of them only depends on the properties of the underlying ANDOS. 

We model the ANDOS protocol as a scheme that enables Alice to sell one 
secret out of n to Bob in such a way that: 

(AndoSi) Alice does not learn anything about the index is of the secret she has 
sold: 



Vje[l,n] ViewA{tOA,si,...Sn,iB) 
is indistinguishable from ViewA^WA, si, ...s„, j) 

(ANDOS 2 ) Bob does not learn anything about the other secrets: 



Vsi,...s'„ such that ViewB{wB,si, ...Sn,iB) 

is indistinguishable from ViewsiwB, s'^, ...s'^,iB) 
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2 Efficient Two-Party Evaluation of Algebraic 
Expressions 

The General Problem 

Let us consider two players, Alice and Bob, modelled as polynomial time Turing 
machines, who have private randomly chosen data c?a G £a and ds G £b- We 
want to design a two-party computation protocol which enables Alice and Bob 
to compute a public function /(dAidg) (whose result is encoded as an integer 
value) modulo a prime public modulus P. 

This protocol has to meet two main properties. Informally, it must be correct, 
i.e. the result of the computation must be /(dA^ds) mod P. It must also be 
private, i.e. a party must not be able to learn information about the other’s secret. 
The exact meaning of those two properties will be made precise further on. At the 
moment, let us stress that we do not develop a general two-party computation 
protocol but just an efficient scheme suitable to the generation of shared RSA 
keys. Consequently we need weaker notions of privacy and correctness than those 
described in more general papers !‘ilMllbtib) . 

The Protocol 

Let us consider polynomial size sets £a and £b and any prime modulus P. The 
following protocol enables Alice and Bob to compute f{dA, dB) mod P without 
revealing there private inputs c?a G £a and dB G £b- 

(1) Alice randomly chooses (oa, Pa) G Zp x Zp (the coefficients of a secret line). 

(2) Alice and Bob perform an ANDOS protocol where Alice sells 

{"Tdldefs = ^ f{dA,d) + Pa mod Py^eSg = 2/^’ 

(3) Bob randomly chooses {ctB,PB) G Zp x Zp. 

(4) Alice and Bob perform an ANDOS protocol where Bob sells 

X f{d, dB) + Pb mod P}^^Sa = Va- 

(5) Alice and Bob broadcast (simultaneously) {aA, Pa,Va) and {cub, Pb^Vb)- 

(6) They verify ua G l,*p, ub G ZJ, and (j/p - Pa) x ua~^ = {va ~ Pb) x 
ub~^ mod P. If this equality holds, f{dA,dB) = (va — Pb) x mod P; 
we say that the protocol ends successfully. Otherwise, the protocol fails and 
the players stop cooperation. 



Security Analysis for Honest Players 

We first consider that Alice and Bob behave honestly, i.e. follow the protocol. 

Theorem 1 (Correctness). If the two players follow the protocol, it always 
succeeds and both of them obtain the correct value f{dA,dB) mod P. 



Proof. The correctness of the protocol when the two players are honest is obvious 
according to the graphical representation of figured □ 
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y = aB-x + [3b 




Fig. 1. Graphical representation of the two-party compntation protocol 



Theorem 2 (Privacy). Given [{dA^dg) mod P and their own private data, 
Alice and Bob can each simulate the transcript of the protocol. Consequently 
they learn nothing more than the value f{dA,dB) mod P. 

Proof. We show how to simulate Alice’s view but the same proof holds for 
Bob. The simulator randomly chooses ag & Zp, (Db G Zp, Sd G Zp for all 
d G £a — {dA}- It computes Sd^ = UA = ceg x f{dA,dg) + fdg mod P and 
7 d = aA X f{dA,d) + ag mod P for all d G £g (including yg = yds). It then 
randomly choose d G £g and simulates the buying of the secret 7 d by Bob. The 
property (AndoSi) shows that the view of Alice during the simulation is indi- 
stinguishable from what she sees when Bob really buys 7^3 . It also simulates the 
buying of dd^ = Va by Alice. Property (ANDOS 2 ) proves that the view of Alice 
is indistinguishable from her view when the secrets {Sd}d^SA-{dA} really 
computed by Bob. Finally, the simulator reveals aA, 3 a, Va, ceg, 3 b, Db whose 
distribution is the same as in a real interaction between Alice and Bob. □ 



Security Analysis when one Player is Malicions 

We only consider the situation where Alice is malicious and Bob honest. For the 
reverse case, even though the protocol is not symmetrical for the two players. 
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the following proofs remain valid because they do not use the order of the steps 
(l)to(4). 

Let us first recall a useful probabilistic lemma m- 

Lemma 3. Let A d X xY such that Pr{A(a;,7/)} = e and, for any a < e, let 
Xq = {a G X/ Vr {A{x,y) / X = a} > £ — a}. Then Pr{a: G Xq} > a. 

Proof. Using the Bayes law, the probability £ = Pr(a,^y)gxxv is equal 

to Pr{a; G Xo}Pr {A{x,y)/x G Xo} + Pr {x ^ XQ}Pr{A{x,y)/x ^ Xq} and this 
is less than Pr {x G Xq} + v ) /* = «}• 

So £ < Pr {x G Xo} + J2a^Xo P’' {* = «}(£- «)• 

For the analysis of the security of the protocol when Alice is malicious, we 
note 7 d what she sells to Bob during the first ANDOS and tja the value she broa- 
dcasts at step (5). Such a notation enables to distinguish potentially false values 
from those computed according to the protocol. The tuple /3 a> Va) 

is simply noted t and A denotes the size offs. Finally, we often omit the modular 
reduction modP for simplicity reasons but all the computation are performed 
in Zp. 

Definition 4. For fixed values of d a, ds and t, Alice is said to be pseudo-honest 
(T’Hj ifddB = X f{dA,dB) + Pa mod P and yA = VA- 



Definition 5. For fixed values dA and dp, the predicate success Pb) 

is true if the protocol ends successfully i.e. if ua 0 and {jdB ~ Pa) x oa~^ = 
(jM - Pb) X aB~^ mod P. 

Before proving the correctness of the protocol, let us state a lemma whose 
proof comes from elementary algebra arguments and that essentially sa^s that 
the intersection of two non-parallel lines is reduced to one point in (Zp) . 

Lemma 6. For fixed values of dA, dp, yA and for a given tuple t, if there exists 
two different pairs (op, /3p) and (op, P%) such that yA = Op x f{dA, dB) + P^B — 
Op X f{dA,dB) + /3p and successdA,dB(.t, c^bi Pb) f^’’’ * ^ then Alice is 

pseudo-honest. 



Lemma 7. If Alice has a cheating strategy such that the protocol ends suc- 
cessfully with probability e, she is pseudo-honest with probability greater than 
£ L 

^ 1-P ■ 

Proof. The probability distribution of t = {{jd}d£SB^ PatPa) a priori de- 
pends on dA, dB, oiB and /3p. Property ANDOS 2 applied to the second ANDOS 
(where Alice buys yA = ctB x f{dA,dB) + Pb mod P to Bob) shows that for 
a fixed value yA, the distribution of t does not depend of ap and Pb such 
that yA = (Ab x f{dA, dB) + Pb mod P. Consequently, this distribution only de- 
pends on {dA,dB,yA) = s. Let us note T> the distribution of the pairs (ubtPb) 
such that yA = <ab x f{dA,dB) + Pb mod P and T the (non uniform) distri- 
bution of tuple t for fixed values of dA, dB and yA. Let e be the probability 
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of success of the protocol according to the cheating strategy of Alice and Eg 
be this probability for fixed values of d,A, ds and yA', s = 

Eg = Pr(^aB,0B)EV,tET{successdA,dB{t,ctB, I3b)}- Let A^be the set of the tu- 
ples t such that Pii^aB,0B)e'D {successd^,dB{t,<^B, Pb)} > p^- LemmaEl with 
a = Eg - p^, proves that Piygr {t G A^} > Eg - -p^. 

For fixed values of dB and yA, there are exactly P—1 pairs (ub, Pb) such 
that yA = a B x f{dA,dB) + PB mod P and the distribution T> of those pairs is 
uniform since Bob chooses them randomly. If t belongs to Ag, the probability 
P^'{aB, 0 B)e'D {successdji,dB{i,OiB, Pb)} is greater than so there exists two 
different pairs (ap,/3p) and (op, /3p) such that yA = f{dA, dB)+Ph mod P 
and successdA,dB{t,c(^B-! Pb) ^ {1j 2}. According to lemma El this proves 
that Alice is pseudo-honest. 

We can now evaluate the probability for Alice to be pseudo-honest: 
^Pr{s} P^{t G Ag} > ^Pr{s} ("sg - = e - 



□ 



Theorem 8 (Correctness). Assume Alice has a cheating strategy such that 

the protocol ends successfully with probability e . If an execution of the protocol is 

£ m 

successful, the probability for the result to be f{dA,dB) is greater than — 

Proof. The probability for Alice to be pseudo-honest conditioned by the know- 
ledge that the protocol ends successfully is Pr {srtccess(t, op, /3s)/Alice Ph} x 
Pr {Alice Ph} / Pr {success{t, op, /3p)j. 

Lemma Q proves PrjAlice is pseudo-honest} > e — p^, by definition the 
probability of success is e and finally Pi'liSuccess/Alice Ph} = 1 because when 
Alice is pseudo-honest the protocol is successful so the result of a successful 
execution is correct with probability > 1 — ■ LI 

Dealing with multiparty computation, an important characteristic is how fair 
the protocol is. During the shared generation of RSA keys, neither Alice nor Bob 
can take advantage to stop the interaction before the normal end because such 
keys cannot be used alone. So our protocol is unfair but it does not matter since 
our aim is not to design a general multiparty computation scheme but rather to 
obtain a scheme with no more properties than those needed for the generation 
of shared RSA keys. 

Lemma 9. The knowledge o/ /(d^, ds) mod P enables Alice to simulate the 
transcript of successful executions of the protocol. 

Proof. We already said in lemma[3that the probability distribution of t depends 
on yA. Furthermore, for randomly chosen {olb,Pb) G Zp x Zp and for any fixed 
value of f{dA,dB), the distribution of yA = Q.b x f{dA,dB) + Pb mod P is 
uniform. 
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Most of the simulation of Alice’s view is the same as in the case of honest 
players (theorem E}. For fixed value of f{d,A,dB), the view of Alice during the 
first ANDOS is simulated by the buying of for a random value do- Her 
view during the second ANDOS is simulated by the buying of yA = Sd^ = 
OisfidAjdB) + Pb mod P for randomly chosen as, (3b and 6d for d ^ dA- Then 
the simulator broadcasts Pa, Va, cub, Pb, Vb, where ys = Id for a randomly 
chosen d. Finally the simulator is reset until the verification succeeds. □ 

Theorem 10 (Privacy). Assume Alice has a cheating strategy such that the 
protocol ends successfully with probability e. After a successful execution of the 

protocol, Alice cannot learn more than log A — - — log 

of information about dB in addition to the result f{dA,dB)- 

Proof. Let VdA,t be the random variable equal to the number of pd correctly 
computed by Alice according to the revealed line y = ua-x + Pa mod P, i.e. 
such that pd = ctAf{dA,d) + Pa mod P. For fixed dA and t, the probability 
for Alice to be pseudo-honest is exactly vjA if she reveals yp = yA s,o the 
probability e' for Alice to be pseudo-honest is less than ^ Pr{d^, t}p/Z\. 
Furthermore, if the protocol is successful, she exactly learns that pd^ has been 
correctly computed and consequently learns that dB belongs to a set of size b. In 
order to estimate the information Alice learns in addition to the result f{dA, dB), 
we evaluate the expected value of logz^ in case of success, Eflogi'/ success) = 
e J2dA t log B. A convexity inequality applied to the function F{x) = 

xlogx shows that 

1 ^ 1 — / 1 

A(log j^/sMccess) > -^F{e' A) > nog(e — — — ^)-l-logzi 

□ 

Furthermore, it is important to notice that, if the final verification fails. 
Bob is convinced that Alice has tried to cheat because the protocol is always 
successful when the players behave honestly. 

Theorem El does not prove strict privacy because, with non negligible pro- 
bability, a malicious player can obtain a few bits about the other player’s secret 
without being caught. But, if we consider Alice and Bob as polynomial time 
Turing machines and if the probability of success is non-negligible, Alice does 
not learn much more information than what she could have guessed. More pre- 
cisely, for example in the case of the generation of an RSA modulus N, if the 
knowledge of about — log e bits of information enables Alice to factorize N in 
polynomial time, we can use her to factorize N in polynomial time without any 
other information. 

When P is large enough, the previous results are simpler: 

Theorem 11. Assume Alice has a cheating strategy such that the protocol ends 
successfully with probability e. If = o(e), the result of a successful execution 
is correct and Alice cannot learn more than — loge bits of Bob’s secret in addition 
to f{dA,dB). 
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Special Case of Algebraic Expressions 

The protocol has been stated for polynomial size sets £a and £b- When / is an 
algebraic expression in Zm and the inputs d.A and ds are tuples of elements of 
Zm, if M can be factored in small relatively prime factors M = Yl^=i with 
k and rrii polynomial in the security parameter, the protocol can also be used, 
even though M is not polynomial. 

Instead of performing the protocol previously described with the large mo- 
dulus M, we can use it k times with each modulus uii. Finally, if P > rrii, Alice 
and Bob obtain f{dA,dB) mod nii for all i and the result f{dA,dB) mod M is 
computed with the Chinese remainder theorem. The more M can be factored 
in relatively prime factors, the more the protocol is efficient. Consequently, as 
much as possible, we use a modulus M equal to the product of the first k prime 
numbers. Notice that theorem E3 can be generalized because if Alice learns less 
than — log Si bits of information with probability Si at round i, she learns less 
than - log£i = “ log (Hi = ~ loge with probability Hi = £• 

3 Computation of Shared RSA Keys 

The computation of shared RSA keys by two parties can be efficiently performed 
using the protocol of the previous section. The first step consists in computing a 
candidate N = {pA +Pb) x {qA + qs) and then to test whether N is the product 
of two prime numbers. Such a test has be proposed by Boneh and Franklin. 
Then, the second part of the generation consists in computing a shared secret 
key associated with a public exponent e. 



3.1 Computation of the Modulus N 

Let n be the size of the modulus we want to generate and f^ = £s = [0,2"/2-if 
be the range where Alice and Bob randomly choose their private input dA = 
{PA, qA) and dB = (PB,qB)- They want to compute f{{pA, qA), {PB,qB)) = {pa + 
Pb) X ((7a + 9b) = N. We choose M as the smallest product of the first prime 
numbers greater than 2”. Consequently, the result of the computation modulo 
M is the same as if the computation were done with integers. The function / 
is an algebraic expression so that we can use the efficient protocol described in 
section El This solves the problem of the efficient computation a shared RSA 
modulus by only two parties, even if one of them is malicious. 



3.2 Trial Division Test 

Since Alice and Bob first choose their private data, compute N and, only after- 
wards, test that Pa +Pb and qA + qB are indeed prime numbers, the generation 
procedure has to be repeated about n^/4 times in order to obtain an RSA mo- 
dulus N. Boneh and Franklin have proposed to perform a trial division test just 
after the random choice of pA and ps to check that pA + Pb is not divisible 
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by a small prime number. This allows a reduction of the number of trials and 
consequently of the complexity of the generation. 

We can use our protocol again to test if a small prime number p divides 
PA + Pb, just taking dA = Pa mod p, ds = Pb mod p, £a = £b = and 
f{x,y) = 0ifa: + j/ = 0 mod p and f{x,y) = 1 otherwise. If during one trial 
division test the result 1 is obtained, Alice and Bob try again with new values 
PA and Pb- Consequently, if the test succeeds, Alice only learns that pa+Pb ^ 
0 mod p, and she would have learned it anyway after the test N = pq. 

In addition to the generic cheating strategy analyzed in theorem 111)1 Alice 
can use an input value pA different from pA mod p as input. If she does this, 
she learns that pa + ps yf 0 mod p, i.e log(p)/p bits of pb- Since Bob cannot 
know if she tried to cheat, Alice can make the protocol restart until she learns 
as much information as possible. If we note V the set of tested prime numbers, 
the information learned by Alice if she is malicious is less than J2pev log(p) /p 
bits. If V is the set of the first i prime numbers, this leads to a maximal amount 
of information less than log(£ln£). As an example, for n = 1024 one can test 
the first 200 prime numbers as it is adviced in m- With our protocol, Alice can 
learn at most 9 bits of information about pB- 



3.3 Efficiency Improvement 

A more efficient and more secure way to choose secret data that have more chance 
to lead to an RSA modulus consists in choosing pA and pb (resp. qa and qb) 
such that PA +Pb is not divisible by a very small prime number. More precisely, 
let M' be a product of the first odd prime numbers such that M' ^ 2"/^“^. The 
choice of pA and pB by Alice and Bob is performed as follows: 

(1) Alice randomly chooses p^ S ^m'> Pa G ^m', 

(2) Bob randomly chooses pg G Pb ^ ^m', 

(3) Alice and Bob perform a protocol as described in section El with 
dA = (p'a^Pa), dB = (p'b,Pb) and 

IHPa^Pa), {p'b^Pb)) = p'a X p'b -PA- Pb mod M', 

(4) Bob obtains the value 6 and computes pb = d + pB mod M' . 

This protocol enables Alice and Bob to privately and efficiently obtain pA 
and Pb such that none of the first prime numbers divides pa+ Pb- 

Alice could try to cheat using p^ ^ but the design of the two-party 
computation protocol obliges Alice and Bob to input data in x Zm'- Fur- 
thermore, the knowledge of ps = Pa ^ p'b ~ Pa mod M' does not help Bob to 
learn more than pa+Pb G because Vp'^ G Z^, p^ x Z^, = Z^,. After 
this preliminary step. Bob could use a different pb but this would just reduce 
the efficiency of the protocol and cannot be used as a way to cheat. The aim of 
this computation is just to help Bob in choosing a reasonable pb- 

In conclusion, an efficient strategy to compute a good N consists in generating 
PA and Pb with this protocol, possibly testing a few more trial divisions, doing 
the same with qA and qB, computing N and finally testing if N is actually the 
product of two large prime integers. 
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It would be interesting to generate an RSA modulus N such that the prime 
factors p and q are strong primes. We do not know how to achieve this but we 
can test if (p — l)/2 is divisible by small prime numbers or not. To do this, 
we just use the protocol designed for the trial division test, with the function 
f{x, 2 /) = 0 if (a; + p — l)/2 = 0 mod p and f{x, y) = 1 otherwise. 



3.4 Generation of the Shared Private Keys 

When N has been generated and tested, the last step is the choice of a public 
exponent e and of a secret one d. More precisely, we want Alice to know and 
Bob ds such that e x (d^ + ds) = 1 mod (p{N). 

Let (j)A be N — pA — qa + I and 4>b be pb + qb- Let M" be the smallest 
product of the first prime integers greater than 2e x 2". 

(1) Alice randomly chooses C,a G Ze, 

(2) Alice and Bob privately compute {tpA + 4>b) ^ — Ca mod e 
obtains the result Cb, as in the protocol of section EH 

(3) Alice randomly chooses Ta & Zm", 

(4) Alice and Bob privately compute {cj)A + 4 >b) x {(a + (b) + 1 
and only Bob obtains the result Tb, 

(5) Alice computes its secret share d^ = [T^/eJ, 

(6) Bob computes its secret share dB = [Te/e], 

(7) Alice and Bob verify that e(d^ + ds) = 1 mod 4>{N). 

In order to verify if d^ and d^ has been correctly computed, Alice chooses a 
random message m and sends c = mod N to Bob who replies the original 

message m to prove that he knows dB- Then Bob verifies in the same way that 
Alice owns a correct exponent d^. 

This protocol is based on the algorithm Boneh and Franklin used to compute 
e~^ mod 4>{N). They have noticed that this computation can be done without 
reduction modulo (jj^N) but just with reductions modulo e. Their algorithm is 
the following: first compute C = — mod e and then take T = C(j>{N) + 1. 
Since e divides T, d = T/e verifies ed = 1 mod (j>{N). 



and only Bob 
— Ta mod M" 



Comparison with General 2-Party Computation 
Schemes 



We said in the introduction that, from a theoretical point of view, there al- 
ready exist general protocols that enable to privately evaluate expressions like 
N = {pa -I- Ps) X {qa + Qb) m polynomial time [2t»lllt)llSim] . All those schemes 
transform 2-party computations into secure evaluation of logical circuits. This 
enables to reduce any computation to the combination of a very small set of 
elementary protocols, like the computation of the logical AND of two bits, at 
the cost of polynomial but unpractical solutions. 

If we focus on the multiplication N = {pA + Ps) x {qa + Qb), with pA, Pb, 
qa and qb, four (n/2 — l)-bit integers, the most practical logical circuit able to 
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evaluate N needs 0{'n?) gates and is depth is 0{n). Using the results of uni, 
we obtain a protocol that enable to privately compute N with a communication 
complexity of 0{n^) and with at least 0(n) rounds of communication (for a fixed 
value of the security parameter) . 

In order to compare this complexity with our scheme’s, we need to choose 
an ANDOS protocol. The one described in pn] has a communication complexity 
C(t) = when one secret out of t is sold and needs a constant number 

of rounds of communication (a Ri 1.1). The global communication complexity 

of our scheme is 2^^^^ C'(pf) with 2" r : ^ Pi and Pi the prime number. 

Consequently, this complexity is about 2 2“'/'°®*/log tdt (see for example | 22 |) 

and this expression is about 2n x 2“'^'°®"/logn = o{n^) V/3 > 1. So, asymptoti- 
cally, our solution is about 0(n) times more efficient than general ones in term 
of communication complexity. Furthermore, the k ANDOS can be parallelized so 
the resulting protocol as a constant number of rounds of communication while 
general solutions need at least 0{n) rounds. 

^From a more practical point of view, using the results of we estimate the 
communication to 2MB when n = 768 bits. A general solution would clearly be 
much less efficient since it would need at least (n/2)^ r 150.000 Rabin oblivious 
transfer m and a few hundred rounds of communication. 

In conclusion, our scheme is much more practical than those derived from 
general solutions while it is still based on very general security assumptions. 
But the secure computation of a shared RSA keys always seems to need efficient 
computers linked by high rate networks. We propose in appendix an alternative 
solution, less general since it is based on a specific number theoretical problem 
but that enables very efficient computations and transmissions. 
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A An Efficient Solntion Based on Higher Residues 
Cryptosystem 

Using a specific number theoretical problem, we can also propose a much more 
simple and efficient solution that does not need to perform many rounds of com- 
munication. It is based on a trapdoor version of the discrete logarithm problem. 
More precisely, Alice chooses parameters for the Naccache Stern cryptosystem 
na based on higher residues, i.e cr a squarefree odd B-smooth integer greater 
than 2", where B is a small integer, an RSA modulus such that a divides 
4>{Na), g an element whose multiplicative order modulo Na is a large multiple 
of a. 

The computation of A^ = {pA + Pb) x (qa + Qb) can be easily done with the 
following protocol that, on secret inputs xa and xs of Alice and Bob make them 
obtain pA and ys such that pA + Pb = xa xb mod a: 

— Alice chooses a random x, computes x'^g^^ mod Na = c and sends it to Bob, 

— Bob chooses ps mod a and x', computes c^^x"^g~'^^ mod Na = d and sends 
d to Alice, 

— Alice decrypts d and obtains pA = xa xb — Pb mod a. 

The security analysis of this protocol is out of the scope of this appendix. 
We can just notice that a commitment of pA, Pb, Qa and qb and a verification 
of the correctness of the result have to be added (as in P]). This can be done 
using modular exponentiation and its homomorphic property. 
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Abstract. We show that for low public exponent RSA, given a quarter 
of the bits of the private key an adversary can recover the entire private 
key. Similar results (though not as strong) are obtained for larger values 
of e. For instance, when e is a prime in the range half the 

bits of the private key suffice to reconstruct the entire private key. Our 
results point out the danger of partial key exposure in the RSA public 
key system. 

1 Introduction 

Let N = pq he an RSA modulus and let e, d be encryption/decryption exponents, 
i.e. ed = 1 mod (j){N). We study the following question: how many bits of d does 
an adversary require in order to reconstruct all of d? Surprisingly, we show 
that for low public exponent RSA, given only a quarter of the least significant 
bits of d an adversary can efficiently recover all of d. We obtain similar results, 
summarized in the next subsection, for larger values of e as well. Our results show 
that RSA, and particularly low public exponent RSA, are vulnerable to partial key 
exposure. We refer to this class of attacks at partial key exposure attacks. 

To motivate this problem consider a computer system which has an RSA 
private key stored on it. An adversary may attempt to attack the system in a 
variety of ways in order to obtain the private key. Some attacks (e.g. a timing 
attack |2j) are able to reveal some bits of the key, but may fail to reveal the 
entire key 0. Our results show that attacks, such as the timing attack on RSA, 
need only be carried out until a quarter of the least significant bits of d are 
exposed. Once these bits are revealed the adversary can efficiently compute all 
of d. Another scenario where partial key exposure comes up is in the presence 
of covert channels. Such channel are often slow or have a bounded capacity. Our 
results show that as long as a fraction of the private exponent bits can be leaked 
the remaining bits can be reconstructed. 

It is natural to ask the analogous question in the context of discrete log 
schemes. For instance, given a fraction of the bits of the private key in the 
ElGamal public key system [2(, can one efficiently recover the entire key? There 
is no known method for doing so. Furthermore, the common belief is that no such 
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efficient algorithm exists. This resistance to partial key exposure is an interesting 
distinction between RSA and discrete log schemes. 

We note that Wiener [Zj showed that RSA is insecure whenever the private 
exponent d is less than In other words, given that the 3/4 most significant 

bits of d are zero an adversary can efficiently recover the remaining quarter. This 
result does not apply to our problem: Wiener’s continued fractions approach 
does not work when the most significant bits of d are given to the adversary, 
but they are non-zero. Instead, we derive our results using powerful tools due to 
Coppersmith p. 

Let N = pq he an n-bit RSA modulus. Throughout the paper we view the 
private exponent d as an n-bit string. When referring to the t most significant 
bits of d we refer to the t left most bits of d when viewed as an n-bit string. For 
instance, it is possible that the t most significant bits of d are all zero, for some 
t. Similarly, a quarter of the bits of d always refers to n/4 bits. 



1.1 Summary of Results 

We summarize our results in the following two theorems. The proofs are given 
in the body of the paper. The first theorem applies to low public exponent RSA. 
The second applies to larger values of e. Throughout we assume N = pq is an 
RSA modulus with \//V j2 < q < p < 2^/N. 

Theorem 1. Let N = pq he an n-bit RSA modulus. Let 1 < e, d < <f>{N) satisfy 
ed — 1 mod </>(iV). There is an algorithm that given the j least significant bits 
of d computes all of d in polynomial time in n and e. 

We note that the running time of the attack algorithm in the above theorem 
is linear in e. Consequently, as long as e is not “too large” the attack can be 
efficiently mounted. For a very small value of e such as e = 3 the attack runs in 
a reasonable amount of time. For larger values, such as e = 65537, the attack is 
still feasible, though clearly takes much longer. 

Theorem 2. Let N = pq be an n-bit RSA modulus. Let 1 < e, d < <p{N) satisfy 
ed = 1 mod 4>{N). 

1. Suppose e is a prime in the range [2‘ . . . with j < t < Then given 
the t most significant bits of d there is a polynomial time (inn) algorithm 
to compute all of d. 

2. More generally, suppose e € [2* . . . 2*“''^] is the product of at most r distinct 

primes with j < t < Then given the factorization of e and the t most 

significant bits of d there is an algorithm to compute all of d in polynomial 
time in n and 2’". 

3. When the factorization of e is unknown, we obtain a weaker result. Suppose 
e is in the range [2* . . . 2*“''^] with t G 0 . . . n/2. Further, suppose d > eN for 
some e > 0. Then there is a polynomial time (in n and algorithm that 
given the n — t most significant bits of d, computes all of d. 
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Theorem |2| applies to public exponents e in the range 2"/"^ < e < 2"/^. 
Unlike the previous theorem, Theorem |3 makes use of the most significant bits 
of d. When e is prime, at most half the bits of d are required to mount the 
attack. Fewer bits are needed when e is smaller. Indeed, if e is close to only 
a quarter of the MSB bits of d are required. The same result holds when e is not 
prime, as long as we are given the factorization of e and e does not have too 
many distinct prime factors. The last part of the theorem applies to e < 
when the factorization of e is not known. To mount the attack, at least half the 
MSB bits of d are required. More bits are necessary, the smaller e is. The attack 
algorithm works for most e, but may fail if d is significantly smaller than N. 

One may refine Theorem|2|in many ways. It is possible to obtain other results 
along these lines for public exponents e < For instance, consider the case 

when the factorization of e is unknown. If the adversary is given half the most 
significant bits of d and a quarter of the least significant bits then we show the 
adversary can recover all of d. When e < this is better than the results of 
Theorem^ part (3). However, we view attacks that require a non-consecutive 
segment of d as artificial. We briefly sketch these variants in Section ^31 



1.2 Notation 

Throughout the paper we let N = pq denote an n-bit RSA modulus. We assume 
the primes p and q are distinct and close to y/N. More precisely, we assume 

4<VN/2<q<p<2VN (1) 

We denote the set of such n-bit RSA moduli by Z( 2 ) (n) . Our results also apply 
to RSA moduli N = pq where p is much larger than q, but we do not give the 
details here. 

Notice that equation ^ implies p + q < 3\/]V. For convenience, throughout 
the paper we set 

s := p + q. 

Under the assumption p > q this implies: 

p= i(s+ Vs2-4N). (2) 

Furthermore, it follows by equation H] that 

N/2 <N- 4Vn < (l){N) < N. (3) 

Let 1 < e,d < be encryption/decryption exponents. Then ed = 1 

(mod (p{N)). Throughout the paper we denote by k the unique integer such 
that: 

ed — k(j){N) = ed — k{N — s -I- 1) = 1. 

Since 4>{N) > d we know that k < e. 



(4) 
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2 Finding Small Solutions to Bivariate Polynomials 

Our results make heavy use of seminal results due to Coppersmith. Using the 
lattice basis reduction algorithm of Lenstra, Lenstra, and Lovasz ^ , Coppers- 
mith |T( shows how to find small solutions {xo,yo) to a bivariate polynomial 
/(a;, y), provided appropriate bounds on Xq and yo are known in advance. 

Theorem 3 ( Coppersmith PQ). Let f{x,y) be a polynomial in two variables 
over Z, of maximum degree S in each variable separately, and assume the coeffi- 
cients of f are relatively prime as a set. Let X , Y be bounds on the desired solu- 
tions xq, yo- Define f{x,y) := f{Xx,Yy) and let D be the absolute value of the 
largest coefficient of f. If XY < then in time polynomial in (logD,2^), 

we can find all integer pairs (xo,yo) with p{xo,yo) = 0, |a;o| < X, |yo| < Y- 

We make use of an immediate consequence of this theorem, which is a slight 
generalization of a result in p. 

Corollary 1. Let N = pq be an n-bit RSA modulus. Let r > 2^!^ be given 
and suppose po := p mod r is known. Then it is possible to factor N in time 
polynomial in n. 

Proof. From po P mod r we may find qq := q = N/po mod r. We seek a 
solution {xo, yo) to f{x, y) = {rx-\-po){ry-\-qo)—N, where 0 < xq < X = 

(similarly yo < Y = 2"/^+^/r). Notice, however, that the greatest common 
divisor of the coefficients of the polynomial f{x, y) is r, so to use Theorem 0 
we must divide through by r to get a new polynomial g{x,y) = f{x,y)/r. Now 
notice that the largest coefficient of g{x,y) = g{Xx,Yy) is at least 2"+^/r. So, 
to use Theorem 0 we require 

XY = r~^2^+^ < (2"+Vr)^/^ 

which is satisfied whenever r > By doing exhaustive search on the first 

two bits of Xq and yo this can be reduced to r > 2”^"^. □ 



3 Partial Key Exposure Attack on Low-exponent RSA 

In this section we consider attacks on the RSA cryptosystem with a “small” 
exponent e. For our purposes, “small” implies that exhaustive search on all values 
less than e is feasible. In particular, since k < e holds, our attack algorithm 
can try all possible values of k (recall that k is the unique integer satisfying 
de — k(p{N) = 1). We can now prove Theorem 

Theorem 4. With the notation as in Section I'l .“A given the ^ least significant 
bits of d, we can factor N in polynomial time in n and e. 
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Proof. Suppose we are given the least-significant f-bit block of d; that is, we 
know do = d mod 2"/^. By Equation El we have 

edo = 1-1- k{N — s -I- 1) (mod 2"/"*), 

Recall that s = p + q. The attack algorithm tries all candidate values for k in the 
range [0 . . . e]. For each candidate value, the algorithm solves the above equation 
for s mod Given a candidate value for s mod 2"/^ the algorithm can find 
p mod 2"/^ by solving the quadratic equation 

p^ — sp + N = 0 (mod 2”/^) 

Given a candidate value for p mod 2"/'* we run the algorithm of Gorollary d to 
try to factor N. After at most e attempts the correct value of p mod 2"’/^ is obtai- 
ned and the factorization of N is exposed. The total running time is linear in e.D 



We did not employ the full generality of Gorollary Q] as modr bits could 
have been used for any r > 2"/^. This will be used in the next section where we 
consider more sophisticated key exposure attacks. 

One may wonder whether a similar partial key exposure attack is possible 
using the most significant bits of d. The answer is no. The reason is that low 
public exponent RSA leaks half the most significant bits of d. In other words, 
the adversary may obtain half the most significant bits of d from e and N alone. 
Gonsequently, revealing the most significant bits of d does not help the adversary 
in exposing the rest of d. This is stated more precisely in the following fact. 



Fact 5. With the notation as in Ser.tion \'l .“A suppose there exists an algorithm 
A that given the n/2 MSB bits of d discovers all of d in time t{n). Then there 
exists an algorithm B that breaks RSA in time et{n). 



Proof Observe that by Equation EJ we have d = (1 -I- k{N -|- 1 — p — q))/e. Let 
d be 



d = 



l + k{N+l) 



e 



Then 

0 < d — d < k{p + q)/e < 3k^/N /e < S'/N 

It follows that d matches d on the n/2 most significant bits of d. Hence, once k 
is known, the half most significant bits of d are exposed. With this observation, 
algorithm B can work as follows: try all possible values of k in the range [0 . . . e]. 
For each candidate, compute the value d. Run algorithm A giving it half the 
most significant bits of d. Once the correct k is found the entire private key is 
exposed. □ 



Fact El explains why for low exponent RSA one cannot mount a partial key 
recovery attack given the most significant bits of d. It is natural to ask whether 
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one can expose all of d given a quarter of the low order bits of d that are not 
necessarily the least significant ones. For instance, can the attack be mounted 
given the n/4 bits in positions n/4 to n/2? At the moment this is an open 
question. 

Fact 0 also demonstrates that computing the exponentiation for the upper 
order bits in an RSA computation can be performed by an untrusted server. This 
may be used in a server aided RSA like computation where Chinese remaindering 
is not possible such as for threshold RSA. 

4 Partial Key Exposure Attack on Medium Exponent RSA 

We describe several attacks on the RSA system that can be employed when the 
public key e is in the range 2”/“^ to 2"/^. Unlike the previous section, these 
attacks require the most significant bits of d to be given. We mount the attack 
by carefully studying equation 

ed — k{N — s + 1) = 1 



Recall that s = p + q. 

The key to mounting these attacks is in finding k. Searching for k by brute 
force is infeasible, since k is an arbitrary element in the range [0, e]. Fortunately, 
given sufficiently many MSB’s of d, we may compute k directly, eliminating it as 
an unknown from equation 0 Once k is revealed, we are left with two unknowns, 
d and s which we recover using various methods. The main tool for discovering 
k is presented in the following theorem. It shows that as long as e < '/N we can 
find k given only log 2 e MSB bits of d. The theorem produces a small constant 
size interval containing k. As always, we try all possible values of k in the interval 
until our attack algorithm succeeds. 

Theorem 6. With the notation as in Section I /.a let t be an integer in the 
range [0 . . . |^] . Suppose 2* < e < 2*+^ and we know the t most signifieant bits of 
d. Then we can efficiently compute the unique k satisfying Equation ^up to a 
constant additive error. 



The proof of TheoremEI relies on the following lemma, which provides general 
conditions under which k can be deduced by rounding. 



Lemma 1. Suppose do is given such that the following two eonditions hold: 

(i) \e{d — do) I < ciN, and 
(ii) edo < C 2 N^^‘^. 

Then the unique k satisfying ed — kcj){N) = 1 is an integer in the range [k — 
Z\, A + Z\] where k = {edo ~ 1) /N and A = 2(8c2 + 2ci) . 

Proof. Let k = {edo ~ 1)/-^- Then 



k-k 






e{d- do) 

HN) 






A - cf{N) \ 

. <^(iV)7V J 



N 
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Since N — 4>{N) < 4\/]V and 4>{N) > N/2 it follows that 



k-k 



< 8c 2 + 2ci- 



Consequently, k is an integer in the range [k — A, k + A] as required. 



□ 



We are now prepared to prove Theorem El 

Proof of Theorem El 

The t most significant bits of d enable us to construct an integer do satisfying 
\d — do| < 2"“*. We use LemmaQ] to compute k. By the restriction on e, condi- 
tion (i) is satisfied with ci = 2. Since do < N, condition (ii) holds with C 2 = 2. 
Hence k is an integer in a known interval of width 40. □ 



4.1 Prime Public Key 

We are now ready to prove part (1) of Theorem El Theorem El enables us to find 
k. Once k is found we reduce equation m modulo e. This removes d from the 
equation. We can then solve for s mod e. Given s mod e we are able to factor 
the modulus. 

Theorem 7. With the notation of Ser.tion \1 .‘A let t be an integer in the range 
j ^ t < ^ . Suppose e is a prime in the range [2* . . . 2*“*'^]. Furthermore suppose 
we are given the t most significant bits of d. Then we can factor N in polynomial 
time. 

Proof. The assumptions of the theorem satisfy the conditions of Theorem El 
Consequently, k is known to be an integer in a constant size range. We try all 
candidate values for k. For each one we do the following: 

1. Compute s = Ai-|-l — (mod e) . This is well-defined since gcd(e, k) = 1. 

2. Find p mod e by finding a root xq of the quadratic 

— sx + IV = 0 (mod e) 

This can be done efficiently (in probabilistic polynomial time) since e is 
prime. Indeed, if s = p -I- g mod e then xg = p mod e. 

3. Use Corollary □ to find p given p mod e. This is possible since e > 

Once the correct value of k is found (after a constant number of attempts) 
the factorization of N is exposed. □ 



A surprising consequence of this theorem is that, when e is prime and is 
roughly = 2"/"^, only the first j MSB’s of d are needed to mount the attack. This 
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attack is as strong as the one on low public exponent RSA. In any case, for prime 
e £ 2"/^. .2"/^ the first ^ most significant bits of d always suffice. 

The proof shows that it is not necessary for e to be prime. As long as we can 
solve the quadratic in step (2) the proof can be made to work. In order to solve 
the quadratic we must be given the factorization of e. Unfortunately, modulo a 
composite, the quadratic may have many roots. We must try them all. If e has 
r distinct prime factors, there are 2'' solutions to consider. As a result, we must 
also bound the number of prime factors of e. We obtain part (2) of Theorem El 

Corollary 2. As in Theorem^suppose e is an integer in the range [2* .. . 2*+^]. 
If e has at most r distinet prime faetors, and its faetorization is known, then 
given the t most signifieant bits of d we ean faetor N in polynomial time. 

We point out that when e is close to 2"/^ the same attack can be mounted 
even if the factorization of e is unknown. In other words, for all e sufficiently 
close to 2"/^, half the msb’s of d are sufficient to reconstruct all of d. Indeed, 
the range I..2"/^+^/e can be searched exhaustively to find s/e. Given the value 
of s/e we can obtain s (since s mod e is already known.) Since s is now known 
in the integers we can directly find p using equation El 

4.2 Public Key with Unknown Factorization 

We now turn to proving part (3) of Theorem [3 We consider the case when e 
is in the range [2* . . . 2*+^] with 0 < t < The factorization of e is unknown. 
The following result establishes that we can still find all of d, given some of its 
MSB’s. Our attack works as long as k is not significantly smaller than e. At the 
end of the section we note that the attack heuristically works for almost all e in 
the range [2‘, 2*+^]. 

Theorem 8. With the notation as in Seetion \l .‘A let t be an integer in the range 
[0 . . . n/2]. Suppose e is in the range [2* . . . 2*+^]. Further suppose k > e ■ e for 
some e > 0. Then there is an algorithm that given the n — t most significant bits 
of d finds all of d. The algorithm runs in time 0{n^/e). 

Proof. Given the n — t most significant bits of d we can construct a do such that 
0 < d — do < 2^. Since e < 2"/^ we can use do and Theorem 0 to limit A: to a 
constant size interval. For each of the candidate k we do the following: 

1. Gompute d\ = e~^ mod k. This is possible since e and k are relatively prime. 
Since ed — k(f{n) = 1 we know that d\ = d mod k. 

2. By assumption k > e2‘. Note that at this point we know d mod k as well 
as the n — t MSB’s of d. We determine the rest of the bits by an exhaustive 
search. More precisely, write 

d = kd2 + d\ 

Then d 2 = do/k + {d — do) /k — d\/k. The only unknown term in this sum is 

V = {d — do)/k. Since k > e2* we know that v = {d — do)/k < 1/e. To find 

V we try all possible candidates in the range [0, \\. For each candidate we 
compute the candidate value of d and test it out. 
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3. Once the correct values of v and k are found d is exposed. Testing each 
candidate d takes 0{n^) time and there are 0(l/e) candidates to try out. 

□ 



Theorem 0 works without having to know the factorization of e. Unfortuna- 
tely, the results are not as strong as in the previous section. When e is close to 
^1/4 Theorem 0 implies that 3/4 of the bits of d are needed to reconstruct d. 
This is much worse than the corresponding bound achieved in the previous sec- 
tion, where only 1/4 the bits were required. When e is close to the theorem 
produces results similar to the previous section. 

Theorem 0can only be applied when k > e - e. Intuitively k behaves roughly 
as a random integer in the range [l,e]. As such, we should have k > e/10 for 
about 90% of the e G [2*, 2*+^]. Hence, heuristically the attack works efficiently 
for almost all e. 

4.3 More Results 

What if the factorization of e is unknown and e was not randomly chosen? 
Although it may be computationally infeasible, it is possible for e, d to be speci- 
fically chosen as factors of 1 -I- kcj>{N) for very small k, violating the conditions 
of Theorem 0 We stress that this is particularly unlikely, as not only would the 
rather large value of 1 -I- k(f>{N) would need to be factored into ed, but a factor e 
in the range [2”^^ . . . 2"/^] would need to be obtained, and one that itself cannot 
easily be factored (making it vulnerable to Corollary 0) . However, under these 
circumstances, the above attacks would not apply. We conclude with the follo- 
wing general result which holds for for all e < 2"/^. Unfortunately, the result 
requires non-consecutive bits of d. 

Theorem 9. With the notation as in Section l/.M let t be an integer in [1, 
and e in [2* . . . 2*+^] . Suppose we are given the t most significant bits of d and 
the j least significant bits of d. Then in polynomial time we can factor N. 

Proof Sketch. Using Theorem 0 we may compute a constant size interval I con- 
taining k. Observe that the proof of Theorem 0 applies for all e, as long as k and 
the n/4 least significant bits of d are known. To recover d, run the algorithm of 
Theorem 0 on all candidate values of fc in /. □ 

In fact. Theorem 0 can be viewed as a special case of Theorem M in which 
exhaustive search is performed on the requisite O(logn) MSB bits of d. 

5 Conclusions 

We study RSA’s vulnerability to partial key exposure. We showed that for low 
exponent RSA, a quarter of the least significant bits of d are sufficient for effi- 
ciently reconstucting all of d. We obtain similar results for larger values of e as 
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long as e < '/N. For instance, when e is close to VN half the most significant 
bits of d suffice. These results demonstrate the danger of leaking a fraction of the 
bits of d. We note that discrete log schemes (e.g. DSS, ElGamal) do not seem 
vulnerable to partial key exposure. A fraction of the DSS private key bits does 
not seem to enable the adversary to immediately break the system. 

There are a number of related open problems. Our results do not apply to 
values of e that are substantially larger than '/N. A natural question is whether 
bits of d enable one to break the system for all values of e. 

For e in the range our most effective results (requiring the 

fewest bits of d) apply only once the factorization of e is known. It seems that one 
should be able to obtain similar results even when the factorization is unknown. 
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Abstract. In U, H. Imai and T. Matsumoto presented new candidate 
trapdoor one-way permutations with a public key given as multivariate 
polynomials over a finite field. One of them, based on the idea of hiding a 
monomial field equation, was later presented in |J| under the name C * . It 
was broken by J. Patarin in 0. J. Patarin and L. Goubin then suggested 

m, [la, El, El) some schemes to repair C* , but with slightly more 
complex public key or secret key computations. In part I, we study some 
very simple variations of C* - such as GL+ - where the attack of ^ is 
avoided, and where the very simple secret key computations are kept. 
We then design some new cryptanalysis that are efficient against some 
of - but not all - these variations. 

[C] is another scheme of jl], very different from C* (despite the name), 
and based on the idea of hiding a monomial matrix equation. In part 

n, we show how to attack it (no cryptanalysis had been published so 
far). We then study more general schemes, still using the idea of hiding 
matrix equations, such as HM. 

An extended version of this paper can be obtained from the authors. 



1 Introduction 

What is - at the present - the asymmetric signature algorithm with the most 
simple smartcard implementation (in terms of speed and RAM needed), and not 
broken ? We think that it is one simple variation of the Matsumoto-Imai C* 
algorithm that we present in part I. 

C* was presented in 0 and 0, and was broken in 0, due to unexpected 
algebraic properties. However, many ways are possible to avoid the cryptanalysis 
of jS!- In |0|, J. Patarin suggested to use a “hidden polynomial” instead of a 
“hidden monomial”. These “HFE” algorithms are still unbroken. However, the 
secret key computations in HFE schemes are sensibly more complex than in the 
original C* scheme. In mu, na and El. J. Patarin and L. Goubin also studied 
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some variations, where the public equations are given in different forms (some 
of these schemes are also presented in pj), but here again, in order to avoid 
the attacks, the secret key computations or the public key computations are 
generally slightly more complex than in the original C* scheme. 

In part I, we design and study very simple variations of the original C* 
scheme. We keep a quadratic public key and the main secret key operation is 
still the computation of a monomial function / : a; i— > in a finite field. 

(The length of the elements of this finite field is much shorter than for RSA, 
and this explains why the implementations are much more efficient.) We break 
some of the new variations. However, some others still resist our attacks. They 
are related to some problems of orthogonal polynomials (how to complete a set 
of orthogonal polynomials, how to eliminate some random polynomials linearly 
mixed with orthogonal polynomials, etc). 

These variations of C* can also be applied to the more general HFE scheme 
of jO] or to Dragon schemes of mg. We concentrate on C* because its secret 
computations are particularly efficient, and because we want to see if these simple 
ideas can be sufficient or not to enforce the security (in HFE, the analysis is more 
difficult since no efficient attacks are known at the present) . 

In part II, we study a very different (despite the name) algorithm of Pjj called 
[C\, based on the idea of hiding (with secret affine transformations) a monomial 
matrix equation. Since the multiplication of matrices is a non-commutative ope- 
ration, it creates a scheme with very special features. However, as in C* or HFE, 
the public key is still given as a set of multivariate polynomials on a finite field, 
and some of the ideas used in 0 are also useful. 

We show how to break the original \C] scheme (no cryptanalysis of this 
scheme was published before). We then study some more general algorithms, 
based on the same idea of hiding matrix equations. 

Since all those unbroken schemes are new and very similar to broken ones, 
we certainly do not recommend them for very sensible applications. However, 
we believe that it is nice to study them because they have very efficient imple- 
mentations and provide a better understanding of the subtle links between the 
concept of asymmetric cryptosystem and the computations required for security. 

Part I: Variations around C* 

2 A Short Description of HFE and C* 

We present a short description of the HFE and C* schemes. See 0 (for C*), or 
0 (for HFE) for more details. 

The quadratic function /: Let iF = F,j be a finite field of cardinality q. Let 
Fqn be an extension of degree n over Fg. Let 

/(a) = ^ -f ^ aka‘^^“ -k /r S F^n [a] 

i,j k 
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be a polynomial in a over F^n, of degree d, for integers 9ij, ipij and > 0. 

Since F^n is isomorphic to F[x]/(g(a;)), if g{x) G Fg[x] is irreducible of de- 
gree n, elements of F^n may be represented as n-uples over F^, and / may be 
represented by n polynomials in n variables ai, a„ over F^: 

The fi are quadratic polynomials, due to the choice of / and the fact that a ^ a‘^ 
is a linear transformation of . 

Secret afRne transformation of /: Let s and t be two secret affine bijections 
(F,)" ^ (F,)", where (Fg)" is seen as an n-dimensional vector space over F^. 

Using the function / above and some representation of Fgn over F,j, the 
function (F,)” — >• (Fg)" that assigns t{f{s{x))) to x £ (F,)” can be written as 

t(/(s(xi, ...,X„))) = {Pi{xi, ...,Xn), Pn{xi, ...,Xn)), 

where the Pi are quadratic polynomials due to the choice of s, t and /. 

The “basic” HFE (cf my- The public key contains the polynomials Pi, 
for i = 1,2, ..., n, as above. The secret key is the function / and the two affine 
bijections s and t as above. 

To encrypt the n-uple x = {xi, ..., x„), compute the ciphertext y = {Pi{xi, x„), 
..., P„(xi, ..., x„)) (x should have redundancy, or a hash of x should also be sent). 
To decrypt y, first find all the solutions z to the equation f{z) = t~^{y) by 
solving a monovariate polynomial equation of degree d. This is always feasible 
when d is not too large (say d < 1000 for example) or when / has a special shape 
(as in the case of C* described below). Next, compute all the s“^(z), and use 
the redundancy (or the hash of x) to find M from these. 

HFE can also be used in signature, as explained in ^ (essentially, the idea is 
that now x is the signature and y the hash of the message to be signed. If the 
equation f(z) = t~^{y) has no solution z, we compute another hash). 

The C* algorithm (cf (7]): C* can be seen as a special case of the more 

general HFE scheme, where the function / is /(a) = . Such a function / 

has some practical advantages: if K is of characteristic 2 and il 1 + q^ is coprime 
to g" — 1, then / is a bijection, and the computation of f~^{b) is easy since 
f~^{b) — b^ , where h' is the inverse of 1 -I- g® modulo g" — 1. 

However, C* was broken in 0, essentially because - in the case of a C* 
scheme - there always exist equations such as 

lijXiyj + ^ a^Xi + ^ Pjyj + yo = 0 ( 1 ) 

'i'd ^ 3 

from which it is possible to break the scheme (see |Sj). (Here x is the cleartext 
(or the signature), y is the ciphertext (or the hash of the message), and Oj, 
(3i and po are elements of K.) Throughout this paper, we call “equation of type 
(1)” any equation like (1). 

In the case of HFE, no cryptanalysis has yet been found (when / is well 
chosen), but the secret key computations are more complex. 
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3 Three Simple Variations of C* (and HFE) 

3.1 Less Public Polynomials: the C*_ Scheme 

The polynomials (Pi, . . . , P„) of the “basic” HFE algorithm give y from x. Howe- 
ver, it is possible to keep some of these polynomials secret. Let k be the number 
of these polynomials Pi that we do not give in the public key, so that only Pi, 
P 2 , ..., Pn-k are public. 

In an encryption scheme, k must be small, because in order to recover x from 
y, we compute the possibilities for y, compute all the corresponding possible 
X, and find the good x thanks to the redundancy. When q is not too large, and 
when k is very small, for example with /c = 1 or 2, this is clearly feasible. 

In a signature scheme, k may be much larger. However, we must still have 
enough polynomials Pi in order that the problem of finding a value x, whose 
images by Pi, ..., Pn-k are given values, is still intractable. A value fc = 1, 2, or 
k = ^ for example may be practical and efficient. 



3.2 Introducing Some Random Polynomials: the Scheme 

Let Pi be the public polynomials in x\, X 2 , ■■■, Xn, of a “basic” HFE scheme. We 
introduce k random extra quadratic polynomials Qi in x\, ..., x„, and we mix 
the polynomials Qi and Pi with a secret affine bijection in the given public key. 

In a signature scheme, k must be small, because for a given x, the probability 
to satisfy these extra Qi equations is When m and k are small, the scheme 
is efficient: after about q^ tries, we obtain a signature. 

In an encryption scheme, k may be much larger. However, the total number 
fc -I- n of quadratic public equations must be such that the problem of finding x 
from a given y is still intractable (and thus be < because with 

equations, the values XiXj are found by Gaussian reductions, which gives the 
Xi). A value k = 1, 2 or k = ^ for example may be practical and efficient. 

Note: We may combine the variations of sections 3.1 and 3.2. For example, it is 
possible to design a signature or an encryption scheme from a “basic” HFE with 
polynomials Pi, ..., P„, by keeping P„ secret, introducing a random polynomial 
Qn instead of P„, and computing the public key as a secret affine transformation 
of Pi, ..., P„_i, Qn- In the case of a C* scheme, we call such algorithms. 

3.3 Introducing More Xi Variables 

Due to the lack of space, we refer the reader to the extended version of the paper. 

4 Toy Simulations of with n = 17 

We have made some toy simulations with K = ¥2 and n = 17 of with 
K = ¥2 and n = 17. (Note that, in real examples, n must be > 64 if AT = F 2 .) 
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In all these simulations, we have computed the exact number of independent 
equations between the 17 bits of the input x\, xn, and the 17 bits of the 
output 2 / 1 , ..., 2/17 of type (1) (see section 2), or type (2) or (3) defined by: 

hjkXiVjyk + ^ y'ijXiUj + ^ ^ ctiXj + ^ /3 j2/j + <5q = 0 (2) 

lijkXiXjUk + ^ fkijXiUj + ^ lyijXiXj + ^ aiX^ + ^ + <5o = 0 (3) 

As shown in table 1, the attacks of |S| do not work directly against if we 
have less public polynomials, at least if f{x) = x^ is avoided and if two or more 
polynomials are kept secret. 

Note: In this table, we have subtracted the number of independent “trivial” 

equations, such as x^ = Xi, or = where “//i” and “i/j” are written 

with their expression in the Xk variables. The notation [a] means that, when 
the yk variables are given explicit values, we obtain in average a independent 
equations in the Xk variables. 



Scheme 


Type 








xi7 


x^^ 


x'^'’ 


x^^y 


c* 


(1) 


34 [16] 


17 [16] 


17 [16] 


17 [16] 


17 [16] 


17 [16] 


17 [16] 


(2) 


612 [16] 


340 [16] 


323 [16] 


340 [17] 


323 [16] 


374 [16] 


323 [16] 


(3) 


578 [153] 


442 [153] 


476 [153] 


493 [153] 


476 [153] 


459 [153] 


493 [153] 


Cl+i 


(1) 


17 [15] 


1[1] 


1 [1] 


1[1] 


1[1] 


1[1] 


1[1] 


(2) 


340 [15] 


52 [15] 


36 [15] 


36 [15] 


36 [15] 


87 [15] 


36 [15] 


(3) 


443 [153] 


307 [152] 


341 [153] 


358 [153] 


341 [152] 


324 [152] 


358 [153] 


^-+2 


(1) 


1[1] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


(2) 


54 [13] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


(3) 


309 [151] 


173 [135] 


207 [151] 


224 [152] 


207 [150] 


190 [152] 


224 [153] 


^-+3 


(1) 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


(2) 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


(3) 


176 [153] 


51 [68] 


74 [91] 


91 [108] 


74 [91] 


57 [74] 


91 [108] 


^-+4 


(1) 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


(2) 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


0[0] 


(3) 


44 [61] 


0 [17] 


0 [17] 


0 [17] 


0 [17] 


0 [17] 


0 [17] 



Table 1 (for K = F 2 and n = 17) 



5 First Cryptanalysis of 

This section in given in appendix 1. 

6 The Cd_ Algorithm 

When g” > 2^^, the cryptanalysis given in section 5 is not efficient. The scheme 
is then called Cl_. It cannot be used for encryption any more, but it is still a 
very efficient scheme for signatures, and its security is an open problem. 
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7 Cryptanalysis of 

The cryptanalysis of is very simple: it just works exactly as the original 
cryptanalysis of C* . We first generate all the equations of type (1). Since in (7^, 
we just have added some equations (and eliminated none), we find at least as 
much equations (1) as in the original C*, from which - as explained in 0 - 
we can find x from y (and thus break the system). Moreover, we can eliminate 
the random added equations and recover an original C* , because an equation 
(1) generally comes from only the yi of C* (and not from the added equations). 
Therefore, by writing (1) as xi{Pi{y)) + X 2 {P 2 {y)) + ■ ■ • + a:„(P„(j/)) (where Pi, 
..., Pn are polynomials of degree one in j/i, ..., yn+k), and by making the change 
of variables y'l = Pi{y), ■■■, y'n = Pn{y), the variables ..., t/(j are the outputs 
of an original C* scheme. 

Note: However, this idea of adding an equation may be much more efficient 

in a scheme where no equation (1) exist (as in some HFE schemes) (or when we 
add and eliminate some equations, as in C’Lj,. below). 

8 Cryptanalysis of Second Cryptanalysis of CZ. 

Cryptanalysis of CH+i: We know that from the variables of the original C* 
we have at least n independent equations of type (1), so that - by multiplying 
these equations by one Xfe, 1 < /c < n - we generate independent equations 
of type (3). 

By Gaussian reductions, we obtain at least ^ equations 

of type (3) with no terms in yi (because we have at most terms in yiXiXj 

or yiXi). Giving then explicit values for y, we obtain (by Gaussian reductions 
on the Xij = xi ■ Xj variables) the Xi values. As a result, with the equations (3) 
we can break C^^i, i.e. recover an x from a given y. This attack works because 
(as shown in our simulations of section 4) the number of independent equations 
does not decrease significantly when the yk variables are given explicit values. 

Cryptanalysis of for r = 2, 3: As shown in table 1, we generally have 

more than equations of type (3), so that the attack also works very well 

when r = 2 or r = 3, since we have more equations (3) than expected. Of course, 
when - after Gaussian reductions - we still have a few variables to guess, we can 
guess them by exhaustive search (if this number is very small). 

Cryptanalysis of C1+,, for r > 4: When r > 4, the attack given above 

may not work, so that we may need to generalize this attack by generating more 
general equations such as equations of total degree d > 4 (instead of three), and 
of degree one in the yi variables. 

We know that from the variables of the original C* we have at least n in- 
dependent equations of type (1). So by multiplying these equations by d — 2 

d — 2 

variables Xk, I < k < n, we generate about n • independent equations of 

the following type: 
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■■■ = 0 . (*) 

By Gaussian reductions, we obtain at least n • ^_ 2 )\ ~ x ' {d-i)\ equations 

(*) with no terms in yi, y 2 , j/r (because we have at most ^d-i)\ terms in 
yfj.Xi-^Xi 2 ...Xi^_^, and r values y such that 1 < y < r). Giving then explicit values 
for y, we obtain (by Gaussian reductions on the = Xi^...Xij^_^ variables) 

the Xi values if n ■ ^_ 2 )\ ~ x ■ (d-i)\ — (d-i)\ (because as shown in our simulations 
the number of independent equations does not dramatically decrease when we 
give explicit values for y), i.e. when r < d — 2. 

Complexity: The complexity of this attack is essentially the complexity of 

Gaussian reductions on 0{n‘^) terms, i.e. 0(n“'^), with a; = 3 in the usual Gaus- 
sian reduction algorithms, or a; = 2.3755 in the best known general purpose 
Gaussian reduction algorithm (see 0). As a result, this complexity increases in 
i.e. exponentially in r. 

Since our simulations show that this attack works sensibly better than de- 
scribed above (because we have a few more equations (*)), we may expect to 
attack when r < 10 approximately. Therefore, we think that any r < 10 is 
insecure. However, the complexity of the attack increases a lot when r increases. 
Hence, at the present, for practical applications, it is an open problem to find 
efficient cryptanalysis of when r > 10. 

Can we recover the corresponding Ct from ? 

This is sometimes feasible. For example, when we have equations of type (2) 
(this is generally the case only when r is very small: see table 1), they generally 
come from y^ variables of the original C*_, and not from the added random 
quadratic equations. Therefore, by looking at the terms in factor of a monomial 
XiXj in those equations (2), we find the vector space generated by the public 
equations of the original C*_ equations. (C*_|_ can then be attacked as a C*_ 
algorithm.) 

Part II: Schemes with a Hidden Matrix 

9 The [C] Scheme 

Let us recall the description of the [C] scheme, presented by H. Imai and T. 
Matsumoto in P|. Let K = ¥ 2 ^ be a public finite field of cardinality q = 2™. 
The basic idea is to use the transformation A 1 — >■ of the set A42{K) of the 
2x2 matrices over the field K. 

This transformation is not one-to-one, but it can be proved (see the extended 
version) that its restriction <l> to the set £ = {M € M. 2 {K), tr{M) 0} is a 
bijection whose inverse is given by: 
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where ^ denotes the inverse of the bijection A i— >■ on ¥2^. The function ^ 

is easy to compute, since -\/A = A^"* ^ for any A G F2m . 

The set J^2{K) can be considered as a vector space of dimension 4 over K. 
Therefore, we can choose s : K'^ — >■ Ai2{K) and t : Ai2{K) — >■ K'^ two secret 
linear bijections such that s maps the hyperplane {x\ = 0} of onto the 
hyperplane {tr(M) = 0} of M2{K), whereas t maps the hyperplane {tr(M) = 0} 
of M2{K) onto the hyperplane {x\ = 0} of K^. 

Each message M is represented by a 4 -uple (a;i, X2, X3, X4) G K'^ such that 
x\ yf 0 . The message space is Ad = {{x\,X2,xz,X4) G x\ yf 0 }. 

The quadratic function / is defined on the message space by: 

^ ' ]^X 1-^ t(s(x)^) 

The hypotheses made on s and t show that the function / is a bijection. 

[C] used in encryption mode: The public key is the 4 -uple {Pi, P2, P3, P4) 
of 4 -variate quadratic polynomials over K that represent /. They are defined 
by: 



f{Xi, ...,X4) = {Pl{xi, ...,X4),P2{xi, ...,X4),P3{xi,...,X4),P4{xi, ..;X4)). 

The secret key is the two linear bijections s and t. 

To encrypt the message M represented by a; = {xi,X 2 , X 3 , X 4 ) G Ad, compute 
the ciphertext y = (j/i, 2/2, J/3, 2/4) with the following formulas: 



( 5 ) 

To decrypt the ciphertext 



{ 2/1 = Pi(a;i,a:2,a;3,a;4) 

2/2 = P2{xi,X2,X3,X4) 

2/3 = P3(a^i,a:2,a;3,a;4) 
2/4 = P4(a:i,a;2,a;3,a;4) 

2/ G Ad, compute: 



(\/tr(t-H2/)) 



(t ^{y) + \/det(t-i(2/)) 




10 First Cryptanalysis of [C] 



This section is given in appendix 2 . 
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11 The More General [Cr^ Scheme 

The [Cn] scheme is a generalization of [C], which involves n x n matrices over 
K, instead of 2 x 2 matrices. 

As in the case of [C], we take a public finite field K = F 2 ™ of cardinality q = 
2’”. The basic idea is still to use the transformation the set Mn(K) 

of the n X n matrices over the field K. The set Mn(K) can be considered as a 
vector space of dimension n? over K, so that we can choose s : AT" — > Mn(K) 
and t : Mn{K) — >■ AT" two secret affine bijections. 

Each message M is represented by a n^-uple (a;i, a;„ 2 ) g AT” . The message 
space is A4 = AT” . 

The quadratic function / is defined on the message space by: 

( M^M 

[Cn] used in encryption mode: The public key is the n^-uple (Pi,...,P„ 2 ) 

of n^-variate quadratic polynomials over K that represent /. They are defined 
by: 



f{xi, ...,Xn2) = {Pl{xi, ...,Xn2), ...,P„ 2 (a:i, ...,x„ 2 )). 

The secret key is the two affine bijections s and t. 

To encrypt the message M represented by cc = (xi,...,x„ 2 ) g A4, compute 
the ciphertext y = (j/i, ...,yn2) with the following formulas: 

{yi = Pl{xi,...,Xn2) 



\ Vn'^ — P'n?' (^ 1 7 ) 

To decrypt the ciphertext y G M, one has to solve the equations = B, 
where B = t~^{y), and then to compute the cleartext x = s“^(A). 



# pre-images 


n = 2 


n = 3 


n = 4 


# pre-images 


n = 2 


n = 3 


n = 4 


0 


6 


252 


34440 


13-15 


0 


0 


0 


1 


8 


160 


22272 


16 


0 


0 


672 


2 


0 


42 


5040 


17-21 


0 


0 


0 


3 


0 


0 


0 


22 


0 


2 


240 


4 


2 


56 


2240 


23-315 


0 


0 


0 


5-11 


0 


0 


0 


316 


0 


0 


2 


12 


0 


0 


630 


> 316 


0 


0 


0 



Table 2: number of pre-images for [Cn] over F 2 (toy examples) 

It is important to notice that A 1 — >■ is not a bijection any longer (contrary 

to the original [C] scheme described in section 9). As a result, there may be 
several possible cleartexts for a given ciphertext. One solution to avoid this 





44 



J. Patarin, L. Goubin, and N. Courtois 



ambiguousness is to put some redundancy in the representation of the messages, 
by making use of an error correcting code or a hash function (for details, see jOj 
p. 34, where a similar idea is used in a different scheme). 

The feasibility of choosing the right cleartext among the possible ones is due 
to the fact that - for an average B - the number of solutions A of the equations 
= B remains reasonable, as shown in table 2 above. 

To solve the equation A^ = B when B G Mn{K), two methods can be used: 
The first one is based on the Jordan reduction of matrices, and provides a 
polynomial time algorithm to compute the square roots of a given matrix. For 
details, see |3| (chapter VIII, p. 231). 

The second one is based on the Cayley-Hamilton theorem. Let us denote by 

Xm(A) = A" + o„_i(M)A"-i + ... + oi(M)A + ao{M) 

the characteristic polynomial of a matrix M G AJ„(iF). Since K is a field of 
characteristic 2, it is easy to prove that ai{M'^) = (M)) (0 < i < n - 1). 

Suppose now that A satisfies A^ = B for a given B. Then, from the Cayley- 
Hamilton theorem (xa(A) = 0), we obtain the following formula: 



A = (\/ao(H) • I + ^a2(B) ■B + ...'j (v^ai(H) • I + ^/as{B) • H + . . . ) . 

This method can only be used when a\{B) ■ I + a^{B) ■ B + .. As invertible. 

Note: The scheme can also be used in signature. To sign a message M, the basic 
idea is to compute x from y = h{R\\M) (as if we were deciphering a message), 
where h is a hash function and i? is a small pad. If we succeed, (x, R) is the 
signature of M. If not (because the function is not a bijection), we try another 
pad R (for variants and details, see 0, where a similar idea is used). 

12 Cryptanalysis of [C„] 

This section is given in appendix 3. 



13 A Suggestion: the HM Scheme 

The cryptanalysis of [C„] described in section 12 uses the fact that A and B 
commute when B = A^. In order to avoid that very special algebraic property, 
we suggest to replace the transformation B = A^ hy the equation B = A^ + MA, 
where M is a secret matrix randomly chosen in Mn(K). 

The description of the obtained scheme - called HM - is exactly the same 
as for \Cn\. As in section 11, the transformation is generally not one-to-one, but 
the scheme can be used in a practical way because - as in the case of [C„] -, the 
number of pre-images of a given average matrix B remains under a reasonable 
limit. Table 4 below illustrates this fact (for a randomly chosen matrix M). 
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To obtain a practical scheme, one has to be able to solve the equation + 
MA = B for a given matrix B G Ain{K). There indeed exist a polynomial time 
algorithm to perform this computation (see |3| , chapter VIII) . The basic idea of 
this algorithm is to use the fact that B = + MA implies g{A) = 0, where 

g{X) =det(A^ + X ■ M — B) is a polynomial with scalar coefficients (notice that 
this property is a generalization of the Cayley-Hamilton theorem) . The equation 
g{A) = 0 can be solved by using the Jordan reduction of matrices. 



# pre-images 


n = 2 


n = 3 


n = 4 


# pre-images 


n = 2 


n = 3 


n = 4 


0 


6 


284 


39552 


16 


0 


0 


72 


1 


8 


112 


12024 


17 


0 


0 


0 


2 


0 


42 


6576 


18 


0 


0 


12 


3 


0 


32 


2256 


19 


0 


0 


24 


4 


2 


34 


1868 


20 


0 


0 


24 


5 


0 


0 


960 


21 


0 


0 


0 


6 


0 


0 


972 


22 


0 


0 


24 


7 


0 


0 


168 


23-25 


0 


0 


0 


8 


0 


2 


324 


26 


0 


0 


36 


9 


0 


0 


48 


27 


0 


0 


0 


10 


0 


2 


144 


28 


0 


0 


6 


11 


0 


0 


96 


29-33 


0 


0 


0 


12 


0 


4 


162 


34 


0 


0 


4 


13 


0 


0 


56 


35-39 


0 


0 


0 


14 


0 


0 


72 


40 


0 


0 


8 


15 


0 


0 


48 


> 40 


0 


0 


0 



Table 4: Number of pre-images for HM over F 2 (toy examples) 





II 

e 


II 

e 


n = 4 


p = 2 


10 16 
39 


3 11 

133 


3 18 

49 


CO 

II 

Pin 


1 

14 


1 

11 


1 1 
18 


p = 31 


0 0 
1 


0 0 
1 


0 0 
1 


127 


0 0 
0 


0 0 
0 


0 0 
0 



Table 5: Number of equations of 

type 1 type 4 

type 2 

for HM over K = Fp 



The HM scheme seems less vulnerable to attacks based on affine multiple (i.e. 
on equations such that those of type (1), (2) or (4)), as shown in table 5 above 
(equations (4) are defined in appendix 3). However, we have made computations 
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(see table 6 below, in which the yi variables have been replaced by explicit 
values) showing that equations of type (3) (defined in section 4) still exist, and 
also equations of “type (5)”, defined by: 

^ VijXiXj + ^ a^Xi + ^ jSiyt + ,5o = 0 (5) 



HM 


n = 2 


n = 3 


n = 4 


Equations (5) 


7 


17 


31 


Equations (3) 


9 


30 


58 



Table 6: Number of linearly independent equations 
Note: It may be noticed that B = implies the two following identities: 

f AB- BA = AM A - MA^ (type (5)) 

\ A^B - BA^ = BMA - MAB (type (3)) 

This explains - in part - the existence of such equations of types (5) and (3). 

The existence of such equations threatens the HM scheme. In fact they make 
the cryptanalyst able to distinguish between a random quadratic transformation 
of X” and a quadratic transformation corresponding to the HM scheme. This 
explains that we do not recommend the HM scheme. However, at the present, 
the existence of equations of type (5) and type (3) does not seem sufficient to 
break the scheme. Therefore, the question of the security of HM remains open... 

14 Conclusion 

Among cryptologists that have studied the problem, two main opinions arise 
as concerns public key schemes built with multivariate polynomials. Some of 
them think that most of these schemes should be vulnerable to attacks based on 
general principles, still to be found. According to others, the status of those many 
schemes can be compared to the one of most secret key algorithms: no relative 
proof of security is known, but the great flexibility for the choice among the 
possible variants of the schemes, together with the relative easiness for building 
efficient schemes that avoid known attacks, may support a certain confidence in 
the security of the schemes, at least - a priori ~ for those which do not seem too 
close to known cryptanalytic techniques. 

The present article does not settle the question once and for all. Nevertheless, 
it gives arguments for both opinions. On the one hand, we have shown how to 
break some schemes for which no cryptanalysis had been given before. On the 
other hand, we have studied some simple and general ideas (removing equations, 
adding ones, introducing new variables...) that might - a priori - sensibly en- 
force the security of some asymmetric schemes. Interesting mathematical questi- 
ons naturally arise: better understanding and detecting orthogonal polynomials, 
using a non commutative ring of matrices to generate multivariate equations on 
a (commutative) field, etc. If we had to take a strong line as concerns the unbro- 
ken schemes, our current opinion is that the most provocative schemes (C*_, 
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HM) may be too close to known cryptanalysis to be recommended, but 

more complex schemes (such as HFE may be really secure... However, it 

is still too soon to have a definitive opinion, and we think that - above all - 
the important point is to go further into the understanding of the mysterious 
links between mathematics and the concepts of asymmetric cryptography and 
cryptanalysis. 
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Appendix 1: First Cryptanalysis of 

Principle of the attack: Let P be the complete public form of C* . We 

suppose that the first r public equations have been removed. Let P(r-\-i)...n be 
the remaining part of P. The aim of the attack is to recover the public equations 
Pi...r and then to use the classical attack of |H|. Obviously, those equations can 
be found only modulo the vector space generated by all the public equations. 
The basic idea is to use the so-called polar form of P, defined by 



Q(x, t) := P(x + t) - P(x) - P(t). 
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Description of the algorithm: 

1) Choose randomly t 7 ^ 0 and 

2) Compute Z(r+l)...n ~ Q(r+l)...n(^^°\i)- 

3) Solve the equation 



Q(r+l)...n(^; 

where x is the unknown. There are at least two solutions (x^^^ and x^^^ + 1) and 
at most 2 . 2 ’’ solutions, because - for a given value z\,,,r - (among 2 ’’ possible), 
the equation Q{x,t) = z has 0 or 2 solutions (see the extended version for a 
proof). 

Steps 1, 2 and 3 are repeated until we obtain the maximum number of solu- 
tions: 2.2’’ (we use each time a different choice for t yf 0 and The average 
number of necessary tries is estimated to be about 2 ’’. 

4) Suppose we have found t 7 ^ 0 and x^^^ such that the (**) equation has exactly 

2.2’’ solutions: x^^'^~^^+t. Let k be an integer 

such that 1 < k < r. For half of the solutions, we have Qk{x, t) = 0, and for the 
other half, we have Qk{x,t) = 1, and this remains true if we consider only the 
subset of the set of solutions. Therefore 

2’’-l 

^ Qfe(a:M,t)= 2 ^-i, 

which gives an equation of degree one on the -|- 1 coefficients of Qk (this 

equation is the same for all the values k, 1 < k < r). 

5) By repeating steps 1-4 0{n^) times, with different choices of (x^^\t), we 

expect to find — ri equations on the coefficients of the Qk (1 < fc < 

r). This gives Qi, ..., modulo the vector space generated by all the public 
equations. 

6 ) Once Q is completely known, we deduce Pi, ..., P„ (there is a technical 
problem when the characteristic of iL is 2 , see the extended version), and the 
classical attack of 0 can be applied, so that C*_ is broken for small r values. The 
complexity of this cryptanalysis is 0{q^), plus the complexity of the cryptanalysis 
of the original C* scheme. 

Note: This cryptanalysis uses deeply the fact that C* is a permutation polyno- 
mial. A general theory about permutation polynomials, and the related notion 
of orthogonal systems of equations, can be found in jOj, chapter 7. 

Appendix 2: First Cryptanalysis of [C] 

The security of the cryptosystem is based on the difficulty of solving the system 
(5) (defined in section 9) of 4 quadratic equations in 4 variables over K = 
F 2 m. Unfortunately, such a system can always be easily solved by using an 
algorithm based on Grobner bases. At the present, the best implementations 
of Grobner bases can solve any set of n quadratic equations with n variables 
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over any reasonable field K, when n < 16 approximately (cf |3)- Therefore, the 
original [C] is not secure. 

This first cryptanalysis shows that the parameter n must not be too small 
if we want to avoid attacks based on algebraic methods for solving systems 
of multivariate polynomial equations. That is why we are going to describe a 
generalization of the scheme to higher dimensions (for which Grobner bases 
algorithms are inefficient) in section 11. 

Appendix 3: Cryptanalysis of [C^j] 

In this section, we describe a polynomial attack against the [C„] algorithm, which 
proves that this scheme is insecure. The key idea is to use the fact that B = 
implies AB = BA (whereas two random matrices A and B do not commute 
in general). We begin by computing all the equations of type (1). The relation 
AB = BA gives a priori n equations of this type. In fact, when we give explicit 
values to the yi variables, we cannot obtain n independent linear equations on 
the Xi variables, since AB — BA is also true when B — P{A), where P is any 
polynomial in A'[X]. The exact number of independent linear equations coming 
from AB — BA is given by the following result of 0: 

Theorem 141 The number N of linearly independent matrices that commute 
with the matrix B is given by the formula N = ni + 3ri2 + ... + {2t — l)nt, where 
n\, n 2 , ..., nt are the degrees of the non constant invariant polynomials ofB. 

See PI, chapter VI, for the definition of the invariant polynomials, and chapter 
VIII for a proof of the theorem. In particular, we have n < N < n^, with N ^ n 
in most of the cases. It remains - a priori - to perform an exhaustive search on 
~ n variables to end the attack. In fact, we have made some simulations (see 
table 3 below) that suggest that there also exist many equations of type (2) 
(defined in section 4), and type (4) defined by: 

lijXiyj + PijyiVj + aiXi + y^ + 5o = 0 (4) 





II 

e 


n = 3 


II 

e 


p = 2 


10 16 
39 


10 18 
153 


17 32 

292 


CO 

II 


4 4 
28 


9 9 

89 


16 16 
271 


p = 31 


3 3 

14 


8 8 
79 


15 15 

254 


p= 127 


3 3 

14 


8 8 
79 


15 15 

254 



Table 3: Number of equations of 

type 1 type 4 

type 2 



for \Cn\ over Fp 
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Note: For p = 2, on these examples, we obtain (n + 1) (formally) linearly 

independent equations of type (1). This can be explained by the fact that - on 
the field K = ¥2 - the equations B = implies tr(_B) =tr(yl). 

These equations of type (1), (2) and (4) can be found by Gaussian reductions 
on a polynomial number of cleartext/ciphertext pairs. Therefore, the [(7„] scheme 
is unlikely to be secure: by using all the found equations of type (1), (2) and (3), 
a cleartext is easily found by Gaussian reductions. 
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Abstract. They came into prominence in the 1970’s, though their roots 
extend back several centuries. In the 1980’s, they survived substantial 
testing and many new members were added. The roles of their various 
members became better understood in the 1990’s, as the families gained 
influence throughout the world. 

These are, of course, the two families of public-key cryptography. One 
family consists of algorithms whose security is based on the discrete 
logarithm problem (DLP), including elliptic curve cryptography (ECC). 
The other bases its security on the difficulty of integer factorization. 
Today, both families have significant influence and applications. They 
have much in common, having emerged, survived and grown together. 
Researchers have studied numerous aspects of these families, from under- 
lying security, to algorithms and protocols, to generation of keys and pa- 
rameters, to efficient implementation. Standards are being written with 
each family in mind, and it is clear that each family will play a part in 
the security infrastructure that is now being developed. 

How the families came to be, how they are similar, how they differ, and 
how the strengths of each can be combined, are all questions of current 
interest in assessing what role each family is likely to have, as we move 
into the next century. 
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Abstract. Elliptic curve cryptosystems, proposed by Koblitz (ini) and 
Miller (EHI)i be constructed over a smaller field of definition than 
the ElGamal cryptosystems (jEj) or the RSA cryptosystems (pS^). This 
is why elliptic curve cryptosystems have begun to attract notice. In this 
paper, we investigate efficient elliptic curve exponentiation. We propose 
a new coordinate system and a new mixed coordinates strategy, which 
significantly improves on the number of basic operations needed for el- 
liptic curve exponentiation. 

key words : elliptic curve exponentiation, coordinate system 



1 Introduction 

Koblitz (^) and Miller (^) proposed a method by which public key cryptosy- 
stems can be constructed on the group of points of an elliptic curve over a finite 
field instead of a finite field. If elliptic curve cryptosystems satisfy both MOV- 
conditions (CMS) and FR-conditions (0), and avoid p-di visible elliptic curves 
over Fpr imm). then the only known attacks are the Pollard p— method 
m) and the Pohlig-Hellman method (CHI). Hence with current knowledge, we 
can construct elliptic curve cryptosystems over a smaller definition field than the 
discrete-logarithm-problem (DLP)-based cryptosystems like the ElGamal cryp- 
tosystems (1^) or the DSA (|^) and RSA cryptosystems (HOI). Elliptic curve 
cryptosystems with a 160-bit key are thus believed to have the same security as 
both the ElGamal cryptosystems and RSA with a 1,024-bit key. This is why ellip- 
tic curve cryptosystems have been discussed in ISO/IEG GD 14883-3, ISO/IEG 
DIS 11770-3, ANSI ASG X.9, X.9.62, and IEEE P1363 (|H!|). As standardization 
advances, fast implementations of elliptic curve cryptosystems has been reported 






There are two approaches for efficient elliptic curve exponentiation. One uses 
general methods valid for any elliptic curve. The other uses ad-hoc methods 
for special elliptic curves, which use the complex multiplication field ([zaEi). 
For security purposes, an elliptic curve should not be fixed and be changed 
periodically. Therefore an efficient algorithm valid for any elliptic curve and not 
for a fixed elliptic curve is desirable. This paper explores an efficient algorithm 
valid for any elliptic curve. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 51-|^^ 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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Elliptic curve exponentiations involve three different factors: the field of de- 
finition, the addition-chains miiivii4i22h . and the coordinate systems. For the 
field of definition, we may choose optimal fields on which modular reduction is 
efficient (|3|) or on which inversion is efficient (|^). For the addition-chains, 
the addition-subtraction method is usually mixed with the window method 
immmm)- On the other hand, the optimal coordinate systems have not 
been so thoroughly studied, though there have been some proposals (D)- 
this paper, we study optimal coordinates for the case of a field of definition IFp 
(with p larger than 3). We propose a new coordinate system and a new mixed 
coordinates strategy for elliptic curve exponentiation. 

1. Coordinates of an elliptic curve 

An elliptic curve can be represented using several coordinate systems. For each 
such system, the speed of additions and doublings is different. Therefore a good 
choice of coordinate system is an important factor for elliptic curve exponentia- 
tions. Affine coordinates and projective coordinates are well known ( |24p. Two 
more coordinate systems, the Jacobian coordinates and the five element Jaco- 
bian coordinates (which we will call the Chudnovsky Jacobian coordinates) have 
been proposed in The efficiency of Jacobian coordinates for elliptic curve 
exponentiation is discussed in |3j. 

In the present paper, we introduce what we call modified Jacobian coordina- 
tes, which gives faster doublings than affine, projective, Jacobian and Chudno- 
vsky Jacobian coordinates. Since doublings take the largest part of the time for 
an elliptic curve exponentiation, this leads to noticeable improvements. 

2. Strategy of elliptic curve exponentiation 

Although we have at our disposal five coordinate systems including our new one, 
there is no single system which gives both fast doublings and fast additions: for 
example, the Jacobian coordinates have faster doublings but slower additions 
than the Chudnovsky Jacobian coordinates. Up to now, for fast elliptic curve 
exponentiation, a single coordinate system has been used which minimizes the 
total computation time (|9i22l27ia;^i). This is not the best method since some 
coordinates are good at additions and others are good at doublings. In this 
paper, we propose a new strategy using mixed coordinate systems for efficient 
elliptic curve exponentiation: for doublings, we use the best possible system for 
doublings, and for additions, we use the best possible system for additions. 

This paper is organized as follows. Section 0 discusses the four known coor- 
dinate systems. Section 0 presents our new coordinate system and investigates 
strategies using mixed coordinate systems. The number of basic field operati- 
ons for elliptic curve exponentiation using mixed coordinates is also estimated. 
Section 0 presents an implementation of our strategy. 



2 The Coordinate Systems 

An elliptic curve can be represented by several coordinate systems. We give 
here the addition and doubling formulas for affine coordinates (E3), projective 
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coordinates (d). Jacobian coordinates (PEI), and Chudnovsky Jacobian coor- 
dinates (Q), as well as the necessary number of field operations. From now on, 
we assume that Fp is a field with p > 3 . 

2.1 The Addition Formulas in AfRne Coordinate 

Let 

E : + ax + b {a,b G Fp, 4 a^ -I- 27 b^ ^ 0 ). 

be the equation of an elliptic curve E over Fp. 

The addition formulas for affine coordinates are the following. Let P = 
{xi,yi), Q = (x2,y2) and P + Q = {x3,y3) be points on F(Fp). 

• Curve addition formulas in affine coordinates {P ^ ±Q) 

X3 = }? - xx - X2, 2/3 = A(a::i - 0:3) - 2/1, (1) 

where A = (2/2 - yi)/{x2 - xi); 

• Curve doubling formulas in affine coordinates (P = Q) 

X3 = X'^ - 2xi, ys = \{xi - X3) - yi, ( 2 ) 

where A = { 3 x\ + a)/{ 2 yi). 

Here we discuss the computation times for these formulas in detail. For simplicity, 
we neglect addition, subtraction and multiplication by a small constant in Fp 
because they are much faster than multiplication and inversion in Fp. Let us 
denote the computation time of an addition (resp. a doubling) by t{A + A) 
(resp. t( 2 A)) and represent multiplication (resp. inverse, resp. squaring) in Fp 
by M (resp. J, resp. S). Then we see that t{Ap A) = I + 2 M + S and t{ 2 A) = 
I + 2 M + 2 S. 

2.2 The Addition Formulas in Projective coordinates 

For projective coordinates, we set x = XjZ and y = F/Z, giving the equation 
Ep : aAZ2 bZ'^ . 

The addition formulas in projective coordinates are the following. Let P = 
(Ai, Fi, Zi), Q = {X2, F2, Z2) and P + Q = i? = (A3, F3, Z3). 

• Curve addition formulas in projective coordinates (P 7 ^ ±Q) 

A3 = vA, F3 = u{v^XiZ2 -A)- v^YiZ 2, Z3 = v^ZiZ2, ( 3 ) 

where u = F2Z1 — FiZ2,t> = A2Z1 — A1Z2, A = v?ZiZ2 — — 2v^XiZ2', 

• Curve doubling formulas in projective coordinates (P = 2 P) 

A3 = 2 hs, F3 = w( 4 P -h)- SFi^s^, Z3 = 8s^ ( 4 ) 

where w = aZi^ + 3 Ai^, s = FiZi, P = AiFis, h = vA — 8B. 

The computation times are t(V + V) = 12 M + 2 S and t{ 2 V) = 7 M + 5 S, where 
P means projective coordinates. 
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2.3 The Addition Formulas in Jacobian and Chudnovsky Jacobian 
coordinates 

For Jacobian coordinates, we set x = XjZ'^ and y = YjZ'^, giving the equation 
Ej ■. + aXZ'^ + bZ^. 

The addition formulas in the Jacobian coordinates are the following. Let P = 

(Ai,Ti,Zi), (A2,F2,Z2) andP + Q = i?= (A3,F3,^3). 

• Curve addition formulas in Jacobian coordinates (P yf ±Q) 

A3 = - 2UiH^ + r2, F3 = -SiH^ + r{UiH^ - A3), Z3 = Z1Z2H, (5) 

where Ui = AiZ|, t/2 = ^2^?, Si = TiZ|, = Y2ZI H = U2~Ui,r = S2- Si, 

• Curve doubling formulas in Jacobian coordinates (i? = 2P) 

A3 = T,Y3 = -8Y1* + M{S - T), Z3 = 2YiZi, (6) 

where S = AXiY^,M = SA^^ + aZf, T = -2S + 

The computation times are t{J + J) = 12M + 45” and t{2J) = 4M + &S, where 
J means Jacobian coordinates. 

We see that Jacobian coordinates offer a faster doubling and a slower ad- 
dition than projective coordinates. In order to make an addition faster, we 
should represent internally a Jacobian point as the quintuple {X,Y, Z, Z"^ , Z^) 
(P). This is called the Chudnovsky Jacobian coordinate and denoted by 
The addition formulas in the Chudnovsky Jacobian coordinates are the follo- 
wing. Let P = {Xi,Yi,Zi,Zl, Zf), Q = (A2, Y2, Z2, Z|, Z|) and P + Q = i? = 
(A3,y3,^3,^3^^3)• 

• Curve addition formulas in Chudnovsky Jacobian coordinates (P ^ 

±Q) 

As = -H^-2UiH^+r\ Y3 = -SiH^+riUiH^-Xa), Z3 = Z1Z2H, Zl = Z|, 

(7) 

where Ui = Xi(Z^), U2 = X2{Zf),Si = Ai(Z|), ^2 = Y2{Zf),H =U2~Ui,r = 
S2-Si-, 

• Curve doubling formulas in Chudnovsky Jacobian coordinates (P = 
2P) 

A3 = T,Y3 = -8Yi^ + M{S - T), Z3 = 2^1^!, = Zl, Zl = Zl (8) 

where S = AXiY^,M = 3X^ + aiZl)"^, T = -2S + M^. 

The computation times are + J'^) = IIM + 3S and t{2J‘^) = 5M + QS. 

3 A new Strategy for Elliptic Curve Exponentiation 

In this section, we investigate a new strategy for elliptic curve exponentiation. Up 
to now, since only one kind of coordinate system is used, it has been necessary 
that it should offer both an addition and a doubling with reasonable speed 
(not the fastest but not too slow) f )siqi2YI2t)l22i;ij L The Chudnovsky Jacobian 
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coordinate system is a good example: it reduces the computation time of an 
addition by slightly increasing the doubling time, but this is still worthwhile 
since Jacobian coordinates have a rather faster doubling but slower addition 
times than projective coordinates. 

On the contrary, here we further improve on the Jacobian coordinate system 
in order to offer even faster doublings, and there will be no loss in elliptic curve 
exponentiation since we are going to use a new strategy of mixed coordinate 
systems. 

3.1 The Modified Jacobian Coordinates 

Here we modify the Jacobian coordinates in order to obtain the fastest possi- 
ble doublings. For this, we represent internally the Jacobian coordinates as a 
quadruple {X, Y, Z, aZ'^). We call this the modified Jacobian coordinate system, 
and denote it by The addition formulas in the modified Jacobian coordi- 
nates are the following. Let P = Zi, aZf), Q = (X 2 , Y2, ^ 2 , 0 -^ 2 ) 

P+Q = R={X3,Y3,Z3 ,aZl). 

• Curve addition formulas in modified Jacobian coordinates (P 7 ^ ±Q) 

X3 = -H^- 2 UiH^+r^, Fa = -SiH^ +r{UiH^ - X3), Z3 = Z1Z2H, aZi = aZ|, ( 9 ) 

where Ui = XiZ|, C 2 = X 2 ZI Si = Fi^f, S 2 = Y 2 Zf, H = U 2 ~Ui,r = S 2 - Si; 

• Curve doubling formulas in modified Jacobian coordinates (i? = 2P) 

X 3 = T,Y 3 = M{S -T)-U, Zs = 2YiZi, aZi = 2U{aZf), (10) 

where S = 4XiY^,U = 8Yi^, M = -fi (aZ^), T = -2S + 

The computation times are then t{J’^ + = 13M -|- d>S and t{2J"^) = 

AM + 45'. Obviously a modified Jacobian coordinate doubling is faster than a 
projective, Jacobian or Chudnovsky Jacobian coordinate doubling. Furthermore 
it is faster than an affine coordinate doubling unless / < 3.6M (5 is set to 0.8M), 
which seems extremely unlikely if p is larger than 100 bits, independently of the 
field of definition IFp and of the implementation of inversion. 

3.2 Using Mixed Coordinates 

It is evidently possible to mix different coordinates, i.e. to add two points where 
one is given in some coordinate system, and the other point is in some other 
coordinate system. We can also choose the coordinate system of the result. Since 
we have five different kinds of coordinate systems (represented by the symbols 
A, P, J, and JT'™), this gives a large number of possibilities. Generalizing 
slightly the notation used above, let us denote by t{C^ + = C^) the time for 

addition of points in coordinates and giving a result in coordinates C^, and 
by t{ 2 C^ = C^) the time for doubling a point in coordinates giving a result in 
coordinates C^. Table Ogives the computation times for additions and doublings 
in various coordinates (not all possible combinations are given, only the most 
useful ones). 
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A small discussion is necessary if we want to compare computation times. 
The ratio S/M is almost independent of the field of definition and of the imple- 
mentation, and can be reasonably taken equal to 0.8. On the other hand, the 
ratio / /M deeply depends on the field of definition and on the implementation: 
it can be estimated to be between 9M and SOM in the case of p larger than 100 
bits. From Table Q] we see that for a doubling using a fixed coordinate system, 
J™“ is the best choice. On the other hand, for an addition using a fixed coordi- 
nate system, we cannot decide what is the best coordinate system independently 
of the relative speed of inversion: it will usually be unless I/M < 10.6, in 
which case it will be A. 
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- 
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Table 1. Computation amount of addition and doubling 



3.3 Use of Mixed Coordinate Systems 

Elliptic curve exponentiation kP usually combines the addition-subtraction me- 
thod with the window method We will set n = [log 2 (/c)J -I- 1 

(i.e. n is the number of bits of fc), and we denote the width of a window by 
w. Some representations in signed binary are reported in nini3i. Since our 
discussion does not depend on this representation, we restrict here k to be in 
the following representation, 

A: = • • 2'="-i(2'=’'lUH -b W[n - 1]) • • •) + VF[0]) 



( 11 ) 
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where W\i] is an odd integer in the range — 2’" + 1 < W\i] < 2*" — 1 for all 
W[v] > 0, ko > 0 and ki> w+1 for i> 1. This representation is easy to obtain 
inductively by looking at the bit pattern of k (0). Then kP can be computed 
using the following procedure: first precompute points Pi = iP for odd integers 
i and 1 < i < 2*" — 1, set P-i = —Pi for each i, and then repeat doublings and 
addition/subtractions with these precomputed points. 

The first stage of computation, that is 2^’’Pvv[i>]5 can be modified in order to 
reduce the computation amount as follows. In the case of = 1, doublings 
are reduced to {ky — w) doublings and 1 addition by setting 

2'="Pi = 2'=^-“'(P2 »-i + /"i). 

In the case of W[v] = 3, ky doublings are reduced to {ky — w + 1) doublings and 
1 addition by setting 



+ P2»-i+i). 

Similar modifications can be made for all W\v] < , and one can show that 

the most significant doublings can be reduced by (w^ + 5w — 2)/(2w+4) 

doublings minus {w + l)/(w + 2) additions on average. 

Up to now, we have used a single coordinate system in all the procedure. 
Here we propose to mix different coordinate systems by dividing the computa- 
tion into three parts: we will use the coordinate system for repeated main 
doublings (i.e. the coordinate system for the result of a final doub- 

ling (i.e. 2(2^*“^P')) and the coordinate system for the precomputed points, 
where P' is an intermediate point in the computation of kP. Summarizing, the 
computation of kP is done by repeating 2^‘P'-|-PvK[i-i] = 2(2^*“^P') -|-Pvv[i-i]) 
whose computation time is equal to 

{ki - l)t{2C^) + t{2C^ = C^) -fi +C^= C^). 

Let us now discuss suitable coordinate systems for C^,C^, and C^. Since 
doublings in are repeated the most frequently, we should choose such that 
t{2C^) is the fastest, hence we set equal to 

We now look at the coordinates suitable for and C^. In this case, we 
must also consider the computation time necessary for constructing the table of 
precomputed points, which requires addition routines. For those. Tabled says 
that 

t{J^ + J‘^)<t{A + A) ^ 9M-fi2S'</, (12) 

where + J‘‘^) is the fastest of all addition routines with no inversions and 
a fixed coordinate system. ^From equation (1 1 211 . the optimal coordinate system 
depends on the relative speed of inversion. Roughly speaking, when the relative 
speed of / to M is fast, we use affine coordinates as C^. When the relative speed 
of / to M is slow, we use Chudnovsky Jacobian coordinates as C^. In the next 
section, we first discuss each case generally, and then investigate the ratio of I 
to M in the case where k has 160-bits, 192-bits, and 224-bits. 
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3.4 Precomputed Points in AfRne Coordinates 

We assume here that we choose to be A. For we search for the coordinate 
system such that = C^) + t{C^ + A — J"™) is as small as possible. From 

Table P we see that both JT’'^ and J' are suitable choices for C^. Thus, we choose 
the simplest system J. To summarize, we set (C^,C^,C^) = (fT’’", J", A). 

To compute the table of precomputed points Pi, we have two methods. We 
can compute it in the straightforward way, which requires a time of 

2“'-1/ + 2“M+ (2“-^ + 1)5'. (13) 

Or we can use the well known Montgomery trick of simultaneous inversions: the 
inverses modulo p of m numbers can be computed in time I + (3m — 3)M (see for 
example |21, Algorithm 10.3.4). We compute (2P), then (3P,4P), (5P,7P,8P),... 
((2“'-2 + 1)P, ...,(2“'-i - l)P,2'"-ip), ((2“'-i + 1)P, ...,(2*" - 1)P), giving a 
computation time of 

wI+{5- 2“’-^ +2w- 10)M + (2’"-i + 2w- 3)5. (14) 

This will be almost always less than the time given in Equation (int (for example, 
if w = 4, it will be the case if I > 6.3M). Furthermore the memory size necessary 
for constructing the table in Montgomery’s trick is just the same as that in the 
above straightforward way. Thus, we will use this method for computing the 
table. 

To compute the first stage of doublings, that is 2^”Pvy[i,], we use the modifi- 
cation discussed in Section roi for example if W[v\ = 1 we compute 

t(2'=“Pvy[„]) =t{A + A= J^) + {k„-w- l)t{2J^) + t{2J^ = J) 

On the other hand, in the final stage, that is 2^“(P'-|-Prv[o]), we use t{J+A = J) 
instead of + A = if fco = 0, and otherwise we use 1(2^"^ = J) instead 
of t{2J'^) as the final doubling. 

We now discuss the total computation time. From Equations m and d, 
the total computation time T^iji) including the time for constructing a table of 
Pi {i odd, 1 < i < 2“ — 1) is equal to 

T}(n)=wI+P>-2'^-^-l2+^^+Au + 8v)M+(2'^-^-Q+^^+Au + hv)S, 

w -\-2 w -\-2 

(15) 

where u is equal to X^i=o H 1® easily shown that the average interval between 
two windows is 2 bits (|2|)- More precisely, one can show that we have approxi- 
mately u = n — wl2 + 9 and v = {n — w/2 — 9)/{w + 2), where 9 = l/2 — l/{w + 2). 
Thus, if we set ni = n — w/2, T^(n) is approximately given by the following 
formula: 

Tlin) =wI+{5- 2"'-! - 70 - ^ + 4m + — ^(m - 9))M 

2 w + 2 

+(2™-i - 80 + 4m + 

w + 2 



(ni-0))5. 



(16) 



Efficient Elliptic Curve Exponentiation Using Mixed Coordinates 



59 



3.5 Precomputed Points in Chudnovsky Jacobian Coordinates 

We assume here that we choose to be For we search for the coordinate 
system such that = C^) + t{C^ + J‘^ = J^) is as small as possible. ^From 

Tabled we see that both and J are suitable choices for Thus, we choose 
the simplest system J. To summarize, we set (C^,C^,C^) = 

The computation time for constructing a table of Pi {i odd, 1 < * < 2’" — 1) 
is 

t(2.4 = T) + {2'"~^ -2)t{J’^+T)+t{A+J’^ = J’^) = (ll-2“’"^-ll)M+(3-2“"^+2)5'. 

The first computation of 2P can be done instead using affine coordinates. In this 
case, the computation time for a table is 

t{2A) + {2'"~^ -2)t{A + J’' = J’^) + t{A + A = J"") = /+(2“+^-9)M + (3-2”"^-l)S'. 

However, this is never optimal if 224 > k > 100 so we omit this case. 

To compute the first stage of doublings, that is 2 ^”Pvf[i>]> modifi- 

cation discussed in Section [Q for example if VF[u] = 1, we compute 

Pw[v]) = t{A PJ^ = J^) + {k,-w- l)t{2J^) + t{2J^ = J) 

On the other hand, in the final stage of addition, that is 2^°{P' -|- Pwio])^ we 
use t{J + = J) instead of t{J ^ = J™-) if /cq = 0, and otherwise we use 

t(2j7'” = J) instead of t{2J'^) as the final doubling. 

Here we discuss the total computation amount. We obtain a total compu- 
tation time T^{n) including the time for constructing a table of Pi (i odd, 
1 < i < 2“ — 1), given by 

T^(n) = (11 • 2“'-! -2w-7 — + 4u+ (11 - 3/2“'"i)z;)M 

w -\-2 

+(3-2^-^ -2w-l+ +4:U + 5v)S. (17) 

w + 2 

Note that the term 3/2’"“^ comes from the fact that although the Pi for i > 1 
are in Chudnovsky Jacobian coordinates, P\ is in affine coordinates so addition 
with Pi is faster. 

In the same way as in Section 1 , 3.41 with m = n — rc/2, we get approximately 

Tl{n) = (11 • 2“'-! -2w + W-^ + Am + (m - 6))M 

-fi(3 • 2“-i -2w-3e + b + Am + -^—{ni - 9))S. (18) 

w -\-2 

4 Time Comparisons Depending on the Ratio I/M 

4.1 The Case of A; = 160 Bits 

To fix ideas, we assume here that k has 160 bits and that S = 0.8M. In this 
case, the optimal value of w is equal to 4, u is approximately equal to 158.33, 
and V is approximately equal to 26.28. We obtain the following results: 
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1. I < 30.5M 

The optimal mixed coordinate system is as in Section El (C\C^,C^) = 
In other words, we use affine coordinates for computing the 
table, modified Jacobian coordinates in the main doublings (i.e. 
and we compute the result of a final doubling (i.e. 2(2^*“^P')) using Jacobian 
coordinates. The computation time is given by T4(160) = 4/ + 1488. 4M 
(Equation fHiM . 

2. I > 30.5M 

The optimal mixed coordinate system is as in Section (C^,C^,C^) = 
tJ In other words, we use Chudnovsky Jacobian coordinates for 
computing the table, modified Jacobian coordinate in the main doublings 
(i.e. 2**“^P'), and we compute the result of a final doubling (i.e. 2(2^*“^P')) 
using Jacobian coordinates. The computation time is given by T4(160) = 
1610. 2M (Equation (I I Yl) 1 . 

Let us compare our new method using mixed coordinate systems with the tra- 
ditional method using a single coordinate system. If we use Jacobian coordinates 
and addition-subtraction with the window method as above, the computation 
time for elliptic curve exponentiation is approximately 1869. IM, which is the 
best known among projective, Jacobian or Chudnovsky Jacobian coordinate sy- 
stems. If we use our new modified Jacobian coordinates instead of the Jacobian 
coordinates, the computation time of elliptic curve exponentiation is improved to 
approximately 1708. 2M. On the other hand, affine coordinates would be worse. 
We thus see that the use of modified Jacobian coordinate together with 
a clever use of mixed coordinate systems, with a computation time of at most 
1610. 2M, gives a very significant improvement. 

4.2 The Case of fe = 192 Bits 

We assume here that k has 192 bits and that S = 0.8M. In this case, the 
optimal value of w is equal to 4, u is approximately equal to 190.33, and v is 
approximately equal to 31.61. We obtain the following results: 

1. / < 33.9M 

The optimal mixed coordinate system is as in Section f;-i.4l (C^,C^,C^) = 
The computation time is given by Tl{\%2) = AI + 1782. 8M 
(Equation llOIl L 

2. I > 33.9M 

The optimal mixed coordinate system is as in Section f3.51 (C^,C^,C^) = 
(J’’”, >7, J"°)- The computation time is given by T4(192) = 1918. 5M 
(Equation fTTlL . 

Let us compare our new method using mixed coordinate systems with the 
traditional method using a single coordinate system. If we use Jacobian coordi- 
nates and addition-subtraction with the window method as above, the computa- 
tion time for elliptic curve exponentiation is approximately 2228.6M. If we use 
our new modified Jacobian coordinates instead of the Jacobian coordinates, the 
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computation time of elliptic curve exponentiation is improved to approximately 
2030. 3M. We thus see that the use of modified Jacobian coordinate JT”™, to- 
gether with a clever use of mixed coordinate systems, with a computation time 
of at most 1918. 5M, gives a very significant improvement. 



4.3 The Case of fe = 224 Bits 

We assume here that k has 224 bits and that S = 0.8M. In this case, the 
optimal value of w is equal to 4 except for the mixed coordinate system of 
(C\C2,C3) = {J'^,J,A) in Section O In the case oi {C\C^ ,C^) = 
the optimal value of w is determined by the relative speed of / to M: if / > 
17. 7M, then w = 4, otherwise w = 5. Here we assume that w is equal to 4 since 
/ > VI AM in our implementation. Then u is approximately equal to 222.33, and 
V is approximately equal to 36.94. We obtain the following results: 

1. / < 37.4M 

The optimal mixed coordinate system is as in Section [.' 1.41 (C^,C^,C^) = 
{J'^tJ,A). The computation time is given by T4(224) = 4/ -|- 2077. 2M 
(Equation fTTill '). 

2. / > 37.4M 

The optimal mixed coordinate system is as in Section f3.51 (C^,C^,C^) = 
The computation time is given by T4(224) = 2226. 8M 
(Equation fmU . 

Let us compare our new method using mixed coordinate systems with the 
traditional method using a single coordinate system. If we use Jacobian coordi- 
nates and addition-subtraction with the window method as above, the computa- 
tion time for elliptic curve exponentiation is approximately 2588. IM. If we use 
our new modified Jacobian coordinates instead of the Jacobian coordinates, the 
computation time of elliptic curve exponentiation is improved to approximately 
2352. 5M. We thus see that the use of modified Jacobian coordinate to- 
gether with a clever use of mixed coordinate systems, with a computation time 
of at most 2226. 8M, gives a very significant improvement. 



5 Implementation 

5.1 Elliptic Curves 

Elliptic curves E/Wp with order divisible by a prime of at least 160-bits are 
secure if the trace of E (El) is equal to neither 0 nor 1 (lEEl). Here we 
implement two elliptic curves with 160-bit, 192-bit and 224-bit key size. 

Elliptic curve E\ (160-bit key size) 



a field of definition Fp^: pi = 2^®° — 2933 
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— an elliptic curve Ei: + aix + bi, where 

fli = 260304558782498478937947576884532782721650322528 
bi = 173536372521665652625298384589688521814433548352, 

^Ei(JFp^) = 3 • 5 • 157 • qi, where qi is a prime 
qi = 620595175087432237029165529381611169224913337 

— a point Pi'. (xi,yi) G with order gi, where 

xi = 1274 10436 88184 50369 80533 90568 22189 38631 36302 30379 
t/i = 572 21905 85804 38390 03353 99912 01426 54787 42865 52166 

Elliptic curve E 2 (192-bit key size) 

— a field of definition Fp^: p 2 = 2^®^ — 3345 

— an elliptic curve E 2 : y'^ = a:® + 02 a; + 62 , where 

02 = 4297310835543015216800382740563318937925360220792632159597 

62 = 2864873890362010144533588493708879291950240147195088106398, 

^E 2 (JFp 2 ) = 5^ • q 2 , where 52 is a prime 

Q2 = 251084069415467230553431576922046178864919281484010333019 

— a point P 2 : {x 2 ,y 2 ) G £' 2 (Fp 2 ) with order q 2 , where 

X2 = 523 46903 86238 76826 11193 52046 88411 23614 71708 15234 
1/2 = 23 91039 55423 03027 66388 76206 81604 62176 43806 46680 

Elliptic curve E^ (224-bit key size) 

— a field of definition Fpj : pa = 2®®"* — 1025 

— an elliptic curve E^: = a:® + a^x + 63 , where 

as = 12404576574124969701442337182895859753361802999610504592418729761688 

63 = 9703580062017113395483118602749180613516894281953378592456586991002, 
^E^iWp^) = 69 • 53 , where 53 is a prime 

53 = 390723864741313620212565436043762777712823516673432244734573782061 

— a point P 3 : {x^,y^) G if 3 (Fp 3 ) with order 53 , where 

Xi = 24976530810051270927037584984009121071093885269663350011731968108524 
j /3 = 8413026773932359434461208205958660967289659936639233132193427828113 

5.2 The Running Time 

We present the running times of elliptic curve exponentiation over our 160-bit 
and 192-bit field of definition using our methods. We compare each strategy of 
Section El with the traditional method using a single coordinate. Our modulo 
arithmetic uses the GNU MP Library GMP ([7|), so as to make easy comparisons 
possible, since GMP may well be the most popular multiprecision library. The 
platform is an UltraSPARG (143 MHz/Solaris 2.4). Table 2 shows the running 
times. We see that our new strategy gives a very significant improvement. 

6 Conclusion 



In this paper, we have introduced modified Jacobian coordinates which offer 
the fastest doubling of all known coordinate systems. The new modified Jacobian 
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160 bit key 


192 bit key 


224 bit key 


field operations (/rsec) 


160/192/224 bit addition 


0.59 


0.64 


0.71 


160/192/224 bit multiplication 


6.50 


8.93 


12.00 


160/192/224 bit squaring 


5.35 


7.22 


9.01 


reduction (320/384/448 160/192/224 bit) 


2.37 


2.77 


2.62 


160/192/224 bit inverse 


166 


213 


261 


elliptic curve operations (msec) 


addition {t{A + A)) 


0.203 


0.257 


0.314 


addition (t(j7“ -I- 17“)) 


0.130 


0.171 


0.215 


addition {t{J + J)) 


0.144 


0.191 


0.239 


doubling (t(2j7™)) 


0.079 


0.103 


0.127 


doubling (t{2J)) 


0.094 


0.122 


0.148 


elliptic curve exponentiation (msec) 


mixed coordinates (case 1) 


16.17 


24.93 


35.73 


mixed coordinates (case 2) 


16.66 


25.54 


37.53 


single coordinate (Jacobian coordinate) 


18.66 


28.79 


41.86 


single coordinate (projective coordinate) 


20.33 


30.17 


44.79 



Table 2. Times for elliptic curve operations (UltraSPARC) 



coordinates improve the computation time of 160-bit elliptic curve exponentia- 
tion to approximately 1708. 2M even with the traditional method which uses a 
single coordinate system: the use of modified Jacobian coordinates reduces the 
computation time of the best known method by 9%. 

Furthermore we have proposed a new method using mixed coordinate sy- 
stems, which divides elliptic curve exponentiation into three parts, and in each 
part we choose the optimal system. For these choices we have presented three 
cases according to the relative speed of inversion to multiplication over Fp. We 
have seen that the use of modified Jacobian coordinates together with a clever 
use of mixed coordinate systems, having a computation time of at most 1610. 2M, 
gives a very significant improvement. Our new strategy with modified Jacobian 
coordinates reduces the computation time of the best known method by more 
than 14%. 
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Abstract. Schoof’s algorithm is used to find a secure elliptic curve for 
cryptosystems, as it can compute the number of rational points on a 
randomly selected elliptic curve defined over a finite field. By realizing 
efficient combination of several improvements, such as Atkin-Elkies’s me- 
thod, the isogeny cycles method, and trial search by match-and-sort tech- 
niqnes, we can count the nnmber of rational points on an elliptic curve 
over GF(p) in a reasonable time, where p is a prime whose size is around 
240-bits. 



1 Introduction 

When we use the elliptic curve cryptosystem piTTj (ECC for short), we first have 
to define an elliptic curve over a finite field. Then, all cryptographic operations 
will be performed on the group of rational points on the curve. Since all the 
curves are not necessarily secure, we should be very careful when we choose an 
elliptic curve for ECC. There are several methods to select a curve for ECC, such 
as Schoof’s method CM (Complex Multiplication) method |2ll8lll)i;lj . and so 
on. The security of an elliptic curve for ECC depends mainly on the “cardinality” 
of the curve (the number of rational points on the curve or the order of the group 
of rational points on the curve). For example, the cardinality should have a large 
prime factor to guard against Pohlig-Hellman’s attack. Recent studies 
on special curves, supersingular curves and anomalous curves, suggest that there 
might exist certain efficient attacks on those curves using their speciality. From 
this point of view, Schoof’s method is believed best to obtain most secure elliptic 
curves for ECC, as it can compute the cardinality of a randomly selected curve. 
Moreover, there are heuristic but strong evidence that random search on curves 
can find certainly good ones with prime cardinality. (See El-) 

School’s algorithm was not efficient in its original form. Thanks to the con- 
tributions of many people, such as Atkin[[J, Elkies0, Morain^^, Couveignes |01 , 
Lercier|0), and so on, the algorithm became remarkably faster. In the process 
of computing the cardinality of a given curve, we can combine several improve- 
ments on Schoof’s algorithm, such as Atkin-Elkies’ method, Lercier’s method, 
and the isogeny cycles method. However, as far as the authors know, there were 
no explicit criteria that give a good combination of these improvements as sub- 
procedures. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 66-|7^ 1998. 

@ Springer- Verlag Berlin Heidelberg 1998 
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The purpose of this paper is to develop an explicit criterion by introducing 
several new strategies. In more detail, we introduce an “intelligent choice system” 
on several subprocedures based on estimate of the costs of them, and investigate 
its effects by practical experiments. By our implementation, one can count the 
cardinality of one curve for ECC corresponding to the RSA with 1024bit moduli 
within about one minutes in average on a PC with Pentium II 300MHz CPU. 
And the average time for counting the cardinality suggests that its complexity is 
0(log(p)®^'^) for some e <C 1. Thus, incorporated with the “early abort” strategy 
m, Schoof’s method is recommended, as a practical one, to find good secure 
curves. 

In the following sections, we consider curves over fields of odd characteri- 
stic. The proposed strategy/methods, however, can be applied independent of 
the characteristics of the base field. In section 2, we will briefly look over the 
improvements of Atkin-Elkies. In section 3, we will introduce new improvements 
and show an explicit criterion. In section 4, we will give our experimental results 
to show our improvements are actually efficient. 

2 Overview of Previous Works 

Let p be an odd prime. We will consider an elliptic curve E defined over the 
finite field GF{p) of order p: E : + Ax + B, where A,Bg GE{p) with 

4A^ -I- 27 B^ ^ 0 (mod p). For the mathematical background, see [151251261 . 

2.1 Schoof’s Algorithm 

First we will briefly recall the Schoof’s algorithm m- We denote the subgroup 
of f-torsion points of E by E[P\ for a prime f. The Frobenius endomorphism 
4> : {x,y) — >■ (xP,y^) of E is also defined on Tate module T({E) as a linear map 
and satisfies the equation: <f)'^ — t(j) + p = 0, where t is the trace of the Frobenius 
map which does not depend on i. Then 

^E{GE{p))=p+l-t . (1) 

If we find an integer tg such that 

4>\P)+pP = te(l,iP) (2) 

for any P G E[i], we get t = tg (mod t). By Basse’s theorem, t must satisfy 
< t < 2yfp. Therefore if we compute t mod f for various small primes 
until their product exceeds 4y^, we can uniquely determine the cardinality of 
the curve by means of the Chinese Remainder Theorem. By the theory of prime 
distribution, the largest prime ^ necessary to find t is bounded by 0(log(p)). 

We denote the Ath division polynomial by fg, whose degree is (f^ — 1)/2 for 
£ > 3, and which vanishes precisely on the ^-coordinates of the Utorsion points. 
As we compute (0) in the ring GF{p)[x, y]/{y‘^—x^—Ax—B, fg{x)), the dominant 
steps is the computation of x^ and y^ in that ring. From this, the complexity of 
this algorithm will be 0(log®(p)). 
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2.2 Atkin-Elkies’ Improvement (SEA) 

Elkies’ idea is to make use of a degree {I — l)/2 factor of ji when it 

is possible to compute in GF{p)[x\. (In this case, £ is called an Elkies prime. 
Otherwise i is called an Atkin prime). The factor gi represents an eigenspace of 
the Frobenius map (j), which can be computed as a kernel of an isogeny map. 
Thus, t mod £ is calculated by the eigenvalue of the eigenspace. As the ratio 
of Elkies primes is expected 1/2, this method will reduce the complexity to 
0(log®(p)). Rather than determining the unique value of t mod £, Atkin 1112 ai 
obtained certain restrictions on the value. Then the real value of t is found among 
a lot of candidates by, for example, the match-and-sort technique H2|. 

The Schoof-Elkies-Atkin(SEA) method is obtained by combining the above 
two and so it is consisting of two stages, namely, (I) collecting information stage 
and (II) trial search stage: 

SEA 

(I) Collecting informations on t mod £ for various £’s until ]/[ £ > 4^ : 

(i) Compute the modular polynomial 

(ii) Check if 3{x) = <P^{x,j{E)) mod p has a root in GF{p). 

(ii-E) If ^(x) has a root in GF{p) (we call £ an Elkies prime) 

calculate ti = t mod £ using gg. 

(ii-A) Otherwise (we call £ an Atkin prime) 

calculate possible values of t mod £. We denote the set of possible values 
of t mod £ by 7/. 

The set of Elkies primes is represented by 8, and the set of Atkin primes is 
represented by A. 

(II) Determining the value of t by trial search: 

Now, there are candidates T for the value of t, where 

T mod £ = tg ior £ G £, and T mod £ G Ti ior £ G A. 

The value of t is (uniquely) determined by trial search, that is, by testing if 
(p + 1 — T)P = O for each candidate T, where P is a sample rational point 
of E and O is the point of infinity, and this test is efficiently executed by the 
match-and-sort technique. 



2.3 Isogeny Cycles Method 

According to Morain et al. |t)l6] . t mod t mod £^, . . . can be computed effi- 
ciently when £ is an Elkies prime. In the method, a factor g^k of the £^-th division 
polynomial fgk is computed, where the degree of ggk is at most £^~^{£—l)/2. 
The isogeny cycles method is designed as a practical improvement to SEA, and 
so the following shall be modified: In (I), we replace \\£ with \\£^ and in (II) 
T mod £^ = t£k for each £ G £, where k depends on each Elkies prime £. For 
practical implementations and improvements, see Wi- 
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From now on, we will consider methods based on SEA with the isogeny 
cycles method. Thus, we will gather informations of t mod for some k > 0 
in the stage (I) and we call the product of all primes or prime powers whose 
informations will be used in the trial search stage (II) the counter. So, when 
counter exceeds in the stage (I), we enter the next stage (II). 

3 Intelligent Choice System 

In implementation of SEA with the isogeny cycles method, the following choices 
are very important for the total efficiency; 

1. decision whether to apply the isogeny cycles method for t mod or not, 
when we find an Elkies prime i, 

2. decision whether to compute the candidates for the value of t or just abandon 
it, when we find an Atkin prime, and 

3. the setting on counter and usage of informations with respect to Atkin 
primes. 

To give an efficient choice in various situations, and to optimize the total com- 
putation, we have to examine how the total efficiency will be changed for each 
choice. From this point, the estimate (guess) of the computational cost shall be 
very helpful. Here, as an attempt for this optimization, we will propose new stra- 
tegies, usage of the estimate of costs to make an “efficient choice” at each step 
and systematic treatment of Atkin primes. We call the total system with these 
strategies an intelligent ehoice system. Of course, we can incorporate strategies 
in previous works into our system, as those were proposed to improve the effi- 
ciency of each subprocedure (method). (See Remark |2| (1).) Here we note that 
to make our approach effective, estimates should correspond to the real costs 
precisely, which requires “efficient implementation” of each operation. 




Fig. 1. The diagram of choice of methods 



So far we have three methods (categories) to get the information on t mod 
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(a) Schoof’s original algorithm, i.e. finding t mod € in (|2|) for P G E[£], 

(b) Atkin-Elkies’ method, i.e. the part (I-ii) of SEA for i, and 

(c) the isogeny cycles method for . 

Now we add virtual methods to take a shortcut to the trial search stage (II), 
which we call virtual Atkin and virtual isogeny cycles method. 

3.1 Shortcut to the Trial Search Stage 

In the stage (I), to make good use of Atkin primes t, we allow candidates for 
t mod I as information on t. Thus, in the stage (II), we search a correct value 
of t among all candidates constructed from informations in the stage (I). And 
it takes 0{y/Nc) additions of points on the curve, where Nq denotes the total 
number of candidates, by most efficient algorithm (match-and-sort/baby-step- 
giant-step algorithm). If Nc gets too large, the search will take much time. 
Therefore we set an upper limit to the total number of candidates, which we 
denote by CanMAX. We define CanMAX from experiments according to the size of 
p based on the complexity for doing match-and-sort algorithm. In “lucky” cases, 
we enter the stage (II) with much smaller Nq than CanMAX. In this case, by 
introducing virtual methods, we can take a shortcut to the stage (II). 

From now on, T^k denotes the set of candidates for t mod which is obtained 
by Schoof’s original method, Atkin-Elkies’ method or the isogeny cycles method. 



Virtual (Atkin/Isogeny Cycles) Method: Suppose that Tik is already 

computed. (For fc = 0, we have no information on mod £.) If a prime £ satisfies 
the following three conditions, we regard the candidates for t mod for some 
j > 0 as Tfk+j = {a + M’^la € Tek ,0 < b < P — 1}. 

(i) For primes £\,. . . ,£g, we have already computed and > counter, 
i.e. > (ril<i<s;£i/f ^ 

(ii) X (The updated counter exceeds 4y/p.) 

(iii) CanMAX > (TIi<i<s-^i/f ) x #7«fc+j . (The updated Nq does not exceed 
CanMAX.) 

We can consider several primes £m’s at the same time. In this case, we can replace 
the inequalities (ii), (iii) with 

(iia) 4^ < {Y\,£f) x (0™ where 4 ^ l^. 

(iiia) CanMAX > (f]^#7)fc,) x (Om )> where ^ £m- 

By this, we can reduce the candidates as well as the operations in the search. 

3.2 Choice of Methods Based on Estimate of the Complexity 

Now we have four methods to get the information on tmod^^: (a) Schoof’s 
original algorithm, (b) Atkin-Elkies’ method, (c) the isogeny cycles method, and 
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(d) the virtual method. In each step we should be careful in choosing one of these 
method, as the choice will effect the total time of computations. For example, 
when counter is very close to 4y^, it might be more efficient to compute t mod 
for a small Elkies prime £, rather than to compute t mod £ for a large prime 
i. Thus, as for the isogeny cycles method, it is very important to decide when 
we apply it and which prime we use. 



Estimate of the Complexity: Here, we propose a simple strategy where we 
will estimate the complexity of each method and choose the most efficient one and 
a prime ^ as a most efficient systematic choice. As a simple but practical example, 
we construct the following “complexity estimate function” by estimating the 
dominating computations. (We count the number of arithmetic operations over 
GF{p).) For simplicity, we only deal with t mod in the isogeny cycles case and 
assume that I <C log(p). The function is very simple, but it works very well for 
actual computation. (See Section kf.2l l In the implementation we fix each weight 
Ws,Wa,Wi^i,Wi^ 2 ,Wi ^3 to fit the actual computation. Here we denote by M(n) 
the time needed to compute the product of two polynomials of degree n. 

Complexity Estimate Function (Weights Ws,Wa,Wip,Wi^2,un,3 are positive 
numbers.) 

(a) In Schoof’s (original) algorithm case, we estimate its complexity at 
WsM((f^ — 1)/2) log(p) for a prime £. 

(b) In Atkin-Elkies’ method case, we estimate its complexity at 
WaM{£+l)log{p) for a prime £. 

(c) In the isogeny cycles method case, we estimate its complexity at 
Wi^iM{U) log(p) + Wi^ 2 M{£+l) log(p) + Wi^ 3 M{{£-l)/ 2 ) log((£-l)/2) log(p) 
for an Elkies prime £, where U is the degree of a factor gp of /^2 that is used 
in computing t mod . 

(d) If we can apply the virtual method, i.e. three conditions for the virtual 
method is satisfied, we estimate its complexity at 0. Otherwise, we estimate 
its complexity at oo. 

We explain the above estimate briefly. In each method, its dominant step is the 
computation of ho{x)P mod h{x) or that of ho{x)^P~^'>^‘^ mod h{x) for polynomials 
ho,h. In more detail, hp = x,y{= x^ + ax + h) and h = fi for (a), and Hq = x 
and h = <l>i{x, j{E)) for (b). For (c), ho = x and h = <l>i{x, j{E/C)), ho = x and 
h = gp, and randomly chosen ho and h = gg. (See Lemma ^ for E/C and gi.) 
By the experimental analysis in and our experiment, these steps amount to 
more than 2/3 of the total time, which shall support the validity of the function. 

In (a) we assume that we apply Schoof’s original method to smaller £ and so 
the computation of 4>{P) is dominant. (See Remark 0 ( 3 ).) 

In (b) we count only the cost to check if (!>i{x,j{E)) has a root in GE{p). If i is 
an Atkin prime and we execute Atkin’s method, i.e. (ii-A) in SEA, additional cost 
does not effect the total cost so much. But, if £ is an Elkies prime and we execute 
Elkies’ method, i.e. (ii-E) in SEA, additional computations, the computation of 
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(j){P) and finding the eigenvalues, have certain effect on the total cost. See the 
paragraph Further Discussion on Practical Choice for more precise estimate. 

In (c) the degree U is guessed by the following lemma used in which can 
be shown easily by seeing the action of the Galois group. 

Lemma 1 Suppose that i is an odd Elkies prime and gi corresponds to an ei- 
genspace C of (p in E[P\ with eigenvalue sq. Let do be the order of sq in the 
multiplicative group GF(i)* and set d = do/ gcd(2, do). Then, gt, has a factor of 
degree d over GF{p) and so its corresponding polynomial gi with respect to the 
isogeny curve E/G, has also a factor of degree d over GF{p). Moreover, fp has 
a factor gp of degree id over GF{p), which can be used for computing t mod i'^. 

In the computation of the step mod g ^2 is dominant. (See Section im i 

In the computation of gi, the step mod <Pi{x, j{E /G)) is dominant, and in the 
computation of a factor of gi, the steps mod cn are dominant, where hi 

are randomly chosen polynomials. See m for details of factoring polynomials. 
Remark 2 (1) By the isogeny cycles method, we can compute t mod i'^ exactly, 
however, its cost tends large compared with Atkin-Elkies’ method for the same 
i. So its arrangement is very important. In existing works, the isogeny cycles 
method was considered as an option to Elkies primes, and it is applied for i just 
after Elkies’ method was executed for the same £ m)- (The power k for £^ is 
also decided at this step.) But, for primes £i < £ 2 , there are many cases where 
the cost for t mod if by the isogeny cycles method exceeds that for t mod £2 by 
Atkin-Elkies’ method. Moreover, for Elkies primes £i < £ 2 , the cost for t mod 
is not always smaller than that for t mod £ 2 - (See LemmaQ) 

(2) The condition for the virtual method shall depend on the cost of search in the 
stage (II) . To guarantee the efficiency of the intelligent choice system, the current 
setting is derived from an assumption that the cost of search among CainMAX 
candidates corresponds to that of Atkin-Elkies’ method just before closing the 
stage (I). 

(3) As a common strategy for Schoof’s original algorithm, we apply it only for 
small primes and so we set a bound on the largest prime for which Schoof’s 
original algorithm can be applied. Then, the estimated cost for Schoof’s original 
algorithm for large primes become 00 in the intelligent choice system. 

Examples 3 Here we demonstrate the detail of actual computation by exam- 
ples. We select typical examples for which virtual methods work well. In the 
below, series of triples represent the trace of computation, where each triple 
consists of the selected method, the selected prime, and the actual cost (in se- 
conds). For simplicity, we write a,e,i for Atkin’s method, Elkies’ method and 
the isogeny cycles method, respectively. (In the implementation, we computed 
t mod 2 by checking if E has a rational point of order 2. Thus, each series begins 
with £ = 3.) Let p = 2^®®-|-15 and E defined by y'^ = x^ + ax+b. 

( 1 ) 

(a,b) = (1,5) : 

[e,3,0.1], [a,5,0.1], [i, 3, 0.11], [e, 7,0.26], [e,ll,0.51], [e, 13,0.56], [i,7,0.4], 

[e,17,1.05], [e,19,1.05], [1,11,0.83], [a,23,1.31], [1,13,1.66], [a,29,1.84], 

[e,31,2.75], [1,17,2.4], [e,37,3.5], [e,41,4.99], [e,43,5.23] 
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Then, the virtual method was applied with the following setting: 2 — >■ 2^, 3 — >■ i 
?2 search took 1.67 seconds. 

(2) (a,6) = (l,64) : 

[e, 3, 0.18], [e, 5,0.18], [i, 3,0.12], [e,7,0.25], [i, 5, 0.25], [a, 11, 0.32], [e, 13, 0.55], 

[e, 17,0.92], [a, 19, 0.73], [a, 23, 1.32], [1,13,1.25], [e,29,2.55], [1,7,0.97], [a, 31, 2.09], 
[1,17,2], [e, 37, 3.49], [a,41,3.59], [e,43,5.32], [a, 47,4.33] 

Then, the virtual method was applied with the following setting: 2 — >■ 2^, 3^ 
3^, 5^ — >■ 5^, The trial search took 1.04 seconds. 



Further Discussion on Practical Choice: Here we proposed a strategy 

based on complexity estimate as a practical optimization. But, from precise 
analysis, it might be better to use the following “contribution index” instead of 
the complexity estimate function. 

1. Contribution Index: On the choice of methods, the “gain” in counter 
must be taken into account. (Informations for large moduli shall contribute 
much more than those for small moduli.) As a realization of such “contribu- 
tion”, we may set the contribution index for each method by 

the estimate of the complexity 
the gain in counter 

We can give a precise argument on the gain. As for Atkin-Elkies’ method 
with a prime if £ is an Elkies prime, then the gain is exactly £, however, if 
£ is an Atkin prime, the gain varies according to the number of candidates 
of t mod £ and the amount of already computed candidates. So, we might 
compute the “expected gain” by taking the probabilities into account. (See 
Section E3 for usage of Atkin primes.) 

2. Cost of Virtual Method: We can give a “more reasonable” estimate to 
the cost of the virtual method. As the virtual method has much influence 
on searching the real value of t, it is better to add the estimate of the cost 
of search to the original estimate, and to compare it with the expected total 
cost for the case where we do not apply the virtual method. 

By our experiment, there is little difference between the original complexity 
estimate function and the contribution index for 300 curves over GF(2^®°-|-7). 
So, “simple estimate of the cost” seems work well for curves over finite fields 
of 160-240 bits order. But, to deal with curves over larger finite fields, we have 
to consider a precise contribution index function to make the intelligent choice 
system efficient. As for the cost of the virtual method, we could not have any 
practical experiment due to the hardness to estimate actual costs of search by 
the match-and-sort technique. This shall be done in the future work. 

3.3 Re-ordering Atkin Primes 

When Atkin-Elkies’ method is chosen, we check whether <Pe{x, j{E)) has a root in 
GF{p) from gcd{xP—x, j(E))). Thus, we computed x^ (mod <Pi{x,j{E))) 
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for this check. If <Pi{x, j{E)) has not such a root, i.e. £ is an Atkin prime, then 
the candidates of t mod £ are computed from the distinct degree decomposition 
(DDD). Once we have (mod <Pg{x, j{E))), we can compute the DDD very 
efficiently and so the computation x^ (mod <P({x, j{E))) is the dominant step 
in this case. But, to improve the total efficiency, there proposed a strategy that 
we do not execute any additional computation for Atkin primes when the total 
number Nc of candidates of t exceeds CanMAX. 

Here, we propose a new strategy “re-ordering” that even if Nc exceeds 
CcUiMAX, we do not give up using new Atkin primes. A “good” Atkin prime 
is the one, which itself is fairly large and the number of whose candidates for t 
is small. We define “Atkin index” of an Atkin prime £ as: 

the number of candidates for the value t 

£ ■ 

In this context, Atkin primes of smaller index can be used more efficiently for 
the computation. When we find a new Atkin prime and Nq exceeds CanMAX, 
we look for “worse” Atkin primes and replace them with the new “better” one 
so that Nc does not exceed CanMAX. In good cases we can proceed to the trial 
search stage without further computations. 

Examples 4 We consider the case where p = 2^®°-|-7, E ■. ip' = x^ + x + ?> and 
CcUiMAX = 10®. In this case, successive 7 primes from £ = 59 are Atkin primes 
and Nc exceeds CanMAX at £ = 71. However, by “re-ordering”, counter exceeds 
at £ = 79 with Nc = 47185920. By the notation in ExampleEl the following 
presents the record of computation: 

[a,3,0.05], [a,5,0.09], [e,7,0.21], [a,ll,0.29], [a,13,0.39], [e, 17,0.99], 

[a,19,0.78], [a,23,1.25], [e,29,2.86], [e,31,2.79], [e,37,3.74], [e,41,5.77], 

[a,43,4.61], [a,47,5.6], [e,53,7.82], [a,59,7.14], [a,61,8.2], [a, 67, 12.05], 

[a,71, 14.49], [a, 73, 14.71], [a,79,13.91] 

On the other hand, without “re-ordering”, we have to search the next Elkies 
prime, which will be found at £ = 89. Thus, the computation becomes 1.3 times 
slower. 

Remark 5 The “re-ordering” strategy for Atkin primes obliges us to execute 
additional computation even for “bad” Atkin primes. But, this fact supports the 
validity of the complexity estimate function, because the difference between the 
cost for Elkies’ method and that for Atkin’s method for the same size prime 
becomes smaller. 

4 Implementation and Experiment 

We have implemented the intelligent choice system using Risa/Asir computer 
algebra system m developed by FUJITSU Labs. We examined its ability and 
efficiency by experiment on number of examples. We set Wg = oo, Wa = 1, 
Wi,i = Wi ^2 = 2, Wi ^3 = 0, and M{n) = n?. Although we used efficient multipli- 
cation techniques, where M{n) = 0(n^ ®), the function gives reasonable choices 
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for our examples. For the experiment, we pre-computed “canonical” modular 
polynomials up to € = 229. 



4.1 Details in Implementation 

Here, we explain the following important operations. 



Mnltiplication and Powering: The SEA algorithm spends most of the time 
for multiplications of polynomials over GF{p) and so those in the field GF{p). 
Thus, as recommended in mi: we used Karatsuba’s algorithm in the multiplica- 
tion of polynomials so that we can get the complexity M{n) = 0(n^ ®) instead of 
0{n?). This will be effective when p is around 240-bit long. Moreover, almost all 
are modular multiplications, i.e. polynomial multiplications accompanied with 
polynomial division. Among them, as remarked in m, powering polynomials 
dominates among other operations and it appears in the following steps; 

(a) DDD computation of j{E)), 

(b) eigenvalue computation, i.e. finding ti by 4>{P) = tiP. 

Because both (a) and (b) require 

(c) mod h{x) for some polynomial h{x), or mod h{x) for some 

polynomials hQ{x),h{x), where deg{h) = 0(log(p)). 

For ordinary powering, we can convert one polynomial division into two polyno- 
mial multiplications with truncation, see | 21 |. For this truncated multiplication, 
we can extend Karatsuba’s algorithm Pj. For p^-th powering with k > 2, we can 
use multiplication tables, see also m- These techniques improve the total effi- 
ciency very much. We shall need, however, the FFT technique to attain drastical 
improvement for computation over much larger finite fields. 



Eigenvalue Computation: In the isogeny cycles case, we made use of a 

match-and-sort algorithm in calculating an eigenvalue. As it was remarked in 
m that such a technique might work well for large I, it seems to work well for 
isogeny cycles cases. We outline the implemented procedure briefly. 

Suppose that i is an odd Elkies prime and we have already computed gi 
and a factor gp of fi 2 . Let sq be the computed eigenvalue of the eigenspace 
corresponding to g^. By using gg 2 , we will compute the eigenvalue sq + £si, 
where sqj si G {0> 1, . . • ,^—1} and sq 0. 



(i) We compute P, ■ ■ ■ , {£—l)P, where the x-coordinate of P is a root of gp. 

(ii) For fc = 1, . . . , £—1, we compute k(j){P) and check whether (ii-1) vP = u(f>{P) 
or (ii-2) —vP = ucj){P), where v = squ (mod £). 

If (ii-1) holds, then sq-I-^si = vu~^ (mod £^). If (ii-2) holds, then sq+^si = 
—vu~^ (mod £^). 
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This algorithm concerns only the ^-coordinates of points and the number of 
additions of points is bounded by 2(£ — 2). The following lemma gives the ma- 
thematical base for the correctness of the method. 

Lemma 6 For s = sq + ts\, sq ^ 0, there exists an element uq S {1, • . . 1} 

such that uqs mod belongs to {1, . . . ,^—1} U {£^-£-1-1, . . . ,£^ — 1}. 

Match-and-Sort Computation in Trial Search: In the trial search stage, 
we applied a certain kind of match-and-sort algorithm described in H21 for im- 
proving the efficiency. (See [1 2| for details.) In the implementation, we made use 
of projective coordinates and pre-computed multiples of a fixed point for compu- 
tation of baby step and giant step. Moreover, we take much care of partitioning 
Atkin primes into the baby part and the giant part. To give a good partition, 
we apply “re-ordering” again to all Atkin primes. Also in the virtual method, 
we choose primes to optimize the algorithm. 



4.2 Experimental Results 

To examine the ability of the intelligent choice system, we choose 300 curves over 
GF{p), where p = 2^®°-|-7, A = 1, and 1 < B < 300, and measured the average 
time needed to compute the cardinality of one curve on a PC with Pentium 
II of 300MHz. We set the value of CanMAX=10®. We also put the best and the 
worst time in the following table. In order to see the effect of our methods we 
tried several combinations of our strategies. We did not implement the Schoof’s 
original algorithm. 



Table 1. Using Intelligent Choice System (seconds): 



No. 


isogeny 


virtual 


re-ordering 


best 


average 


worst 


(1) 


YES 


YES 


YES 


34.7 


66.5 


334.7 


(2) 


NO 


YES 


YES 


56.2 


82.8 


330.9 


(3) 


YES 


NO 


YES 


43.7 


76.1 


339.4 


(4) 


YES 


YES 


NO 


34.4 


68.0 


348.2 



Table 2. Not Using Intelligent Choice System (seconds): 



No. 


isogeny 


virtual 


re-ordering 


best 


average 


worst 


(5) 


YES 


NO 


NO 


43.6 


83.4 


365.3 


(6) 


YES 


NO 


NO 


43.6 


86.9 


374.1 



(5) uses isogeny cycles if fp has a factor of degree < 32. 

(6) uses isogeny cycles if fg 2 has a factor of degree < 64. 

From the above data, our strategies (in the intelligent choice system) will be 
characterized as follows: 

1. The “estimate of the complexity” strategy has the main effect of speeding 
up the computation process overall. 

2. The strategy on the isogeny cycles method and that on the virtual method 
have the main effect of speeding up the computation process in good cases. 
(Case we can proceed to the trial search stage early on.) 
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3. The re-ordering strategy should have the main effect of speeding up the 
computation process in bad cases. (Case the number of candidates for t 
exceeds CanMAX) . Currently our implementation of calculation of has not 
yet been tuned up. The authors believe that we can see a better effect after 
tuning up the process. 

In Table 3 we show the timings (seconds) for 300 curves over other fields, which 
might assert that one can count the cardinality of curves used for elliptic curve 
cryptosystems in a reasonable time. And the average times suggest that the 
complexity of our implementation is 0(n®^'^) for some e <C 1. We also counted 
the cardinality of sample curves listed in X9.62 Working Draft and found the 
similar behavior on their timings as in Table 3. (It took 559 seconds for Example 
1 with a 256-bit prime in H.5.3.) 



Table 3. Statistics on Timings 



prime 


average time 


best time 


worst time 


CanMAX 


2^4u + 115 


454.1 


242.8 


1143.2 


T(F 


2160 7 


66.5 


34.7 


334.7 


10® 


2155 + 15 


50.4 


30.6 


142.3 


10® 



The authors are implementing the intelligent choice system for curves over finite 
fields of characteristic 2. As the basic arithmetics over finite fields of characteri- 
stic 2 can be done quite efficiently, the total computation over such fields seems 
faster than that over finite fields of odd characteristics. 

4.3 Finding Elliptic Curves of Prime Cardinality 

For secure ECC, it is strongly recommended to use a curve whose cardinality is a 
prime. For this purpose, we can use “early abort” strategy m- In this strategy, 
we check if the cardinality has a factor in each step of the computation of t mod i. 
If we find that the cardinality is not a prime, we can abandon the curve and try 
the next one. The effect of the strategy is supported by mathematical analysis 

imni . 

We incorporated this strategy to our implementation and searched curve with 
prime cardinality. For p = 2^“^° -1-115, we could try 3569 curves in 52.5 hours, 
and found 16 curves whose cardinalities are prime. It means that we can handle 
each curve within 1 minute in average due to the effect of early abort strategy 
(almost 8 times faster than the average time in Table 3). 

5 Conclusion 

We have introduced an explicit criterion for efficient computation of the car- 
dinality of an elliptic curve over a finite field. The experiment shows that we 
could speed up the process almost 20%. In the experiment we can find elliptic 
curves whose cardinalities are prime numbers in a reasonable time when the 
characteristics p of the base field is around 240-bit long. 



78 



T. Izu et al. 



Although our current implementation can not be the best, its experimental 
result is quite satisfactory in practice. We are going to tune up the complexity 
estimate function and CanMAX to get a better result. We will also implement FFT 
for the case when p is a larger prime and modify the intelligent choice system for 
parallel computation. Moreover, theoretical analysis will be our further studies. 
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Abstract. We investigate the discrete logarithm problem over jacobians 
of hyperelliptic curves suitable for public-key cryptosystems. We focus 
on the case when the definition field has small characteristic 2, 3, 5 and 7, 
then we present hyperelliptic cryptosystems that resist against all known 
attacks. We further implement our designed hyperelliptic cryptosystems 
over finite fields F 2 " in software on Alpha and Pentium-II computers. 
Our results indicate that if we choose curves carefully, hyperelliptic cryp- 
tosystems do have practical performance. 



1 Introduction 

1.1 Hyperelliptic Cryptosystems 

Koblitz |Ro88IKo 89< investigated jacobians of hyperelliptic curves defined over 
finite fields as a source of finite abelian groups suitable for cryptographic discrete 
logarithm problems. As a motivation of the cryptographic research, Koblitz gave 
the following conjectural remark [K088, page-99]: “Thus, as far as we know, 
discrete log cryptosystems using J(Fpn) seem to be secure for relatively small 
p" (even when p = 2). From the standpoint of implementation, this feature 
may outweigh the added time required to compute the more complicated group 
operation. ” 

Frey and Ruck’s generalization of MOV-attack |M( )V9,‘fj solved in 

subexponential time the discrete logarithm problems over some of Koblitz’s de- 
signed hyperelliptic cryptosystems Eosni- However, Sakai, Sakurai and Ishi- 
zuka designed hyperelliptic cryptosystems mm that resist against all known 
attacks including the Frey and Ruck’s method tFmm . Furthermore, Sakai et 
al. |SST98j analyzed the computational complexity on the group operation in 
jacobians. Their results theoretically support the Koblitz’s conjecture referred 
to above. 

* Partially done while visiting in Columbia Univ. Computer Science Dept. 



K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 80-|^^ 1998. 
© Springer- Verlag Berlin Heidelberg 1998 
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In this work, we further explores hyperelliptic discrete logarithms for obtai- 
ning more efficient public key cryptosystems, and confirms experimentally the 
Koblitz’s conjecture on the practical merit of hyperelliptic cryptosystems. 

1.2 Our Investigated Topics 

We consider the following topics to address as challenging problems after |Ko88| 




1. Designing secure hyperelliptic cryptosystems with genus 2 curves over small 
characteristic fields 

Koblitz |Ko88IKo89| presented jacobians of curves C : v"^ + h{u)v = f{u), 
where deg{f{u)) = 5 (genus 2), defined over F 2 . However, some discrete 
logarithms of the curves had been broken by Frey and Riick [FT},94] . As a 
negative result, Sakai et al. experimentally showed that no secure 

curve exists with genus 2 among those defined over F 2 and h{u) = 1 . 
Recently developed other methods WMmEMm have generated se- 
cure hyperelliptic cryptosystems with genus 2. However, these require the 
size of the characteristic of curve’s definition field to be large. 

2. Designing secure hyperelliptic cryptosystems over F 2 ^ with smaller n 

Sakai et al. |SST98) examined jacobians over F 2 " with genus g = 3, 11 curves 
v“^ + V = which resist against all known attacks. However, their con- 

struction requires a large extension-degree n. For example, for achieving the 
security as RSA with 1024-bit key, the jacobian of the curve v'^+v = xf must 
be defined over F 269 or larger fields. They also confirmed that the jacobian 
of the curve v"^ + v = (genus 11 ) over F 247 induces a secure hyperellip- 
tic cryptosystem with the same level of security as RSA with 5000-bit key. 
This can be efficiently ( without multi-precision library ) implemented via 
software on 64-bit CPU (e.g. Alpha). 

However, no secure hyperelliptic cryptosystem is available from this curve 
with smaller n than 47. We want such a jacobian over F 2 »> with hopefully n < 
32 for an efficient software implementation on 32-bit CPU (e.g. Pentium). 

3. Implementing hyperelliptic cryptosystem in software 

Indeed, the formulas for adding divisors in a jacobian are more complex 
compared to formulas for adding points in an elliptic curve. However, as we 
first remarked, Koblitz lEnHHI suggested that hyperelliptic cryptosystems 
defined over a small definition field may be efficient in practice. 

Sakai et al. [hS198j evaluated encryption/decryption speed which should 
that hyperelliptic cryptosystems are indeed practical. However, their confir- 
mation was only theoretical, and no performance via a practical implemen- 
tation has been reported. 



1.3 Our Results 

On Design with Genus Two In the case of characteristic 2, we have found secure 
jacobians by considering a more wider class of h(u) (degree of h{u) has at most 
g). Moreover, in the case of C : = f{u) over characteristic 3, 5 and 7 finite 

fields, where deg{f{u)) = 5 (genus 2), we have found many curves which resist 
against all known attacks. 
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On Design with Smaller Size of F2" By not choosing curves from + v = 
but from a wider class + v = f{u), we have found secure jacobians over F2" 
with “n < 32” that achieve the same (or higher) level of security as RSA with 
1024-bit key. 

On Implementation We have implemented operations in jacobians via software. 
One platform was Alpha 21164A (467MHz) with 64-bit word size, and ano- 
ther was Pentium-II (300MHz) with 32-bit word size. Programs were written in 
C-language and compiled with GCC. Our software implementation of secure ja- 
cobians, which have the same level of security as RSA with 1024-bit key, achieve 
good practical performance. In an exponentiation of a randomly chosen divisor, 
the jacobian over F259 of the genus 3 curve C : + v = achieved 83.3 msec, 

on Alpha 21164A (467MHz), and the jacobian over F229 of the genus 6 curve 
C : v'^ + v = + + vJ + + 1 achieved 476 msec, on Pentium-II (300MHz). 

We have also implemented secure jacobians which have the same level of security 
as RSA with 5000-bit key. In an exponentiation of a randomly chosen divisor, 
the jacobian over F247 of the genus 11 curve C \ + v = achieved 1.74 

sec. on Alpha 21164A (467MHz). Note that those jacobians can be implemented 
without “a multi-precision library”, because of the size of the definition fields. 



1.4 Our Approach 



Our Considered Security We design hyperelliptic cryptosystems that resist 
against the following four known attacks: 



1 . 

2 . 

3. 

4. 



The Pohlig-Hellman method [IPH78j . 

Frey-Riick’s generalization I1R.H4I of the Menezes-Okamoto-Vanstone attack 

|M0V93| . 

Adleman-DeMarrais-Huang’s smooth-divisor-attack IADH94) . 

Riick’s generalization of the Semaev-Smart-Satoh-Araki attack 

on elliptic curves with Frobenius trace one. 



BiSKtHKHSiiniinl CfiliH 



Our design further notes new attacks improving the parallerized Pollard- 
Lambda search 



mms MMBBi 



On Choosing Curves and Counting the Order of their Jacobian In 

PEHESl, Koblitz investigated the jacobians of the hyperelliptic curves v'^ -\- v = 
y2g+i finite field for cryptographically intractable discrete logarithm. In 
lEnsni, Koblitz also discussed the jacobians of the hyperelliptic curves of more 
general form v'^ -\- h{u)v = f{u), however, the degree of the polynomial f{u) 
is restricted to be 5 (i.e. genus 2) and the definition fields are only the case 
of characteristic 2. In order to obtain a broader class of jacobians suitable for 
secure discrete logarithms, we deal with a wider family of the hyperelliptic curves 
v'^ -\-v = f{u) and v'^ = f{u) over finite field of characteristic 2, 3, 5 and 7, where 
deg(/(u))=25-k 1. 



2 Preliminaries 

In this section, we give a brief description of jacobians. See for more 

detail. 
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Let F be a finite field and let F be the algebraic closure of F. A hyperelliptic 
curve C of genus g over F is an equation of the form C ■. v'^ + h{u)v = f{u) in 
F[M,r;], where h{u) € F[u] is a polynomial of degree at most g, f{u) S F[m] is 
a monic polynomial of degree 2g + 1, and there are no solutions (w, u) S F x F 
which simultaneously satisfy the equation v'^ + h{u)v = f{u) and the partial 
derivative equations 2v + h{u) = 0 and h'{u)v — f{u) = 0. Thus, a hyperelliptic 
curve does not have singular points. 

A divisor on C is a finite formal sum of F-points D = '^rriiPi, rUi G Z. We 
define the degree of D to be deg(I?) = ^ . If K is an algebraic extension of 

F, we say that D is defined over K if for every automorphism cr of F that fixes 
K one has '^rriiP‘^ = D, where P'^ denotes the point obtained by applying 
a to the coordinates of P (and oo'^ = oo). Let D denote the additive group 
of divisors defined over K (where K is fixed), and let D° denote the subgroup 
consisting of divisors of degree 0. The principal divisors form a subgroup P of 
D°. J(K) = D°/P is called the '' jacobiari’’ of the curve C. In this paper, we 
denote J(C;K) also the Jacobian defined over K of the curve C. 

The discrete logarithm problem on J(C; K) is the problem, given two divisors 
Di,D2 G J(C;K) of determining an integer m such that Z ?2 = mDi if such m 
exists. 

3 Security Against Known Attacks 

We will choose jacobians to satisfy the following four conditions to resist against 
all known attacks. 

Cl : P(C; Fg) is divisible by a large prime 

C2 : J(C; Fg) can not be imbedded into a small finite field F^k 

C3 ■,2g + 1 < log q 

C4 : Jacobian over a field of characteristic p has not a cyclic group structure 
of order p" for small n. 

Our design further notes new attacks improving the parallerized Pollard- 
Lambda search IWZOHKILVfiHj . 

3.1 Cl : General Algorithms 

The condition Cl is to resist Pohlig-Hellman method [PH78j . The algorithm 
has a running time that is proportional to the square root of the largest prime 
factor of P(C; F,). Therefore, we need to choose curves such that P(C; F^) has 
a large prime factor. 

3.2 C2 : Imbedding into a Small Finite Field 

The condition C2 is to resist Frey and Ruck’s generalization P^P,94j of MOV- 
attack [M( )Vfi3| using Tate pairing. Their method reduces the logarithm problem 
over J(C; F^) to the logarithm problem over an extension field F^k. Methods of 
avoiding MOV-attack have been discussed in llj^ailCTTOdl . We take the similar 
approach by choosing curves such that the induced Jacobian J(C; F^) cannot be 
imbedded via Tate pairing into F^s, with small extension degree k. Therefore, 
we replace C2 by the following sufficient condition: 

C2’ : The largest prime factor of P(C; F,) does not divide 
((?)'=-!, A < (log g)2 
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3.3 C3 : Large Genus Hyperelliptic Curves 

The condition C3 is to resist Adleman-DeMarrais-Huang method 
They found a sub-exponential algorithm for discrete logarithm over the rational 
subgroup of the jacobians of large genus hyperelliptic curves over finite fields. It 
is a heuristic algorithm under certain assumptions. Therefore, we need to choose 
curves such that the genus of curves is not so large. 



3.4 C4 : Additive Embedding Attack 

The condition C4 is to resist Ruck’s generalization of the Semaev-Smart- 



Satoh-Araki attack 



ISfainE^ ISiREH SfiPH 



on elliptic cryptosystems with Frobe- 



nius trace one. The method uses an additive version of Tate pairing to solve the 
discrete logarithm of a Jacobian over a finite field of characteristic p and has the 
running time O(n^logp) for a Jacobian with cyclic group structure of order p”. 

We should remark that our design is in small characteristic p = 2,3,5 and 
7. Subgroups of the Jacobians that we consider have order prime to the cha- 
racteristic p. Therefore, this additive embedding attack does not apply to our 
cryptosystems. 



3.5 Improved Parallerized Pollard-Lambda Search 

New attacks have been announced, which improved the parallerized Pollard- 
Lambda search [W/98IGLV98| . For elliptic curves over F 2 " with coefficients in 
F 2 , this attacking time can be reduced by a factor of the square root of 2n. 
For example, the time required to compute an elliptic curve logarithm on such a 
curve over F 2163 is reduced from the previous 2 ®^ to 2 ^^ elliptic curve operations. 

This could be applicable to our designed hyperelliptic cryptosystems in cha- 
racteristic 2, because the coefficients of our curves belong to F 2 . We should 
note that the power of this attack is not so strong as the four listed above. 
However, this attack is very important to our selection of the size of security- 
parameter, which effects the performance analysis of our cryptosystems. There- 
fore, we should consider the security against possible extension of this kind of 
attack in our design of hyperelliptic cryptosystems. 



4 Our Order Counting Method 

Beth and Schaefer |B^ used zeta-function for their constructing elliptic cryp- 
tosystems and Koblitz llko88lko89lh:nTi^ also used zeta-function of a hyper- 
elliptic curve to construct Jacobians of hyperelliptic curves defined over finite 
fields. 

A technical difficulty in our computation on general hyperelliptic curves 
is that the zeta-function has a complicated form with larger degree. There- 
fore, it is not easy to compute its exact solutions unlike the previous cases 
[IHS9 l|Ko88|Kn8t)pKo98j . However, it is known that the order of a Jacobian 
can be computed without deciding the solution of its zeta-function [St93, Chap- 
ter V]. Therefore, we use this algorithm for our problems. 

Throughout this section, F denotes an algebraic function field of genus g 
whose constant field is the finite field F, and P denotes the set of places of 
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_F/K. The definition, the theorem and the corollary shown below are given in 
the article jlStt),'-!) . 

Definition 1. rS't.9,'^/ The polynomial L(t) := (1 — t)(l — qt)Z{t) is called the 
L-polynomial of function field F/Fq, where Z{t) denotes the zeta-function of 
F/Fq. 

Theorem 1. 

(a) L(t) S Zi[t] and deg L(t) = 2g 

(b) L{t) = qH^!^L{l/qt) 

(c) L{1) = h, the class number of F/Fq 

(d) We write L(t) = Fhen the following holds: 

(1) oo = 1 and a 2 g = • 

(2) a 2 g-t = q^~‘‘ai for 0 < i < g. 

(3) ai = N — {q+1) where N is the number of places P GPp of degree one. 

(e) L{t) factors in C[t] in the form L{t) = Fhe complex numbers 

ai, - ■ ■ ,a 2 g are algebraic integers, and they can be arranged in such a way 
that OiOg+i = q holds for i = 1, - ■ ■ ,g. 

(f) If Lr(t) := (1 — <)(1 — q'"t)Zj.{t) denotes the L-polynomial of the constant 

field extension F^ = FFqr, then Lr(t) = ~ '^i^) 

Corollary 1. Let Sr '■= Nr — {q^ + 1). Then we have: 

qq ~ 1; and iui = SiOQ -t- -t- * ■ * T S±ai—i, for i = 1, • • • , 

We can determine the order of jacobians by the Theorem and the Corollary 
in the following algorithm. We should note that it is easy to count Ni, ■ ■ ■ , Ng if 
Fq is small. 



Order Counting 

Inpnt Hyperelliptic curve C : + h{u)v = f{u) over 

and extension degree n 
Output The order ttJ(C;Fqn) 

Stepl Determine W = tt J (C; F^r ) , for r = 1 , ■ • ■ , ^ 

by counting the number of rational points of C over F^r 
Step2 Determine the coefficients of Lf, (t) = following: 

tto = 1 

for 1 < i < g: Oi = + l))oi-fc)/i 

for <? + !<*< 2g-. Ui = g®“®a 2 g_i 
steps Compute Lf,™ (1) = OLi 

where runs over the n-th root of unity 
Step4 Return #J(C'; F^n) = Lf^„ (1) 



5 Jacobians over Finite Fields of Characteristic 2 

Koblitz |Ro88IKo 89< considered the security of the discrete logarithm problem 
over jacobians of genus 2 curves when the definition fields have characteristic 
2. However, Frey and Riick generalized MOV-reduction to hyperelliptic 
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curves. They have found that some of hyperelliptic cryptosystems presented by 
Koblitz [KniSttj are breakable in sub-exponential time. In this section, we discuss 
the security of genus 2 curves which have the form + h{u)v = f{u) defined 
over characteristic 2 finite fields. We also discuss the security of genus 3, 4, 5 
and 6 curves. 

5.1 Genus 2 Curves 

First, we examine the order of jacobians P(C;F2n) in the case of h{u) = 1, 
where the degree of /(u) equals to 5. We also examine their factorizations. 

Extension degree n of F2« were examined from 59 to 89. The reason is that: 
ttJ(C';F25g) has the size of 119-bit. P(C';F2S9) has the size of 179-bit. Namely, 
if the jacobians are secure, their level of security are in the range from appro- 
ximately RSA-512 to RSA-1024. 0 ( ”RSA-n” denotes RSA with n-bit key. ) 
We have examined whether Pmax of ttJ((7;F2n) divide (2")^ — 1 to confirm the 
security condition C2’. {Pmax denotes the largest prime factor of fJ(C';Fq).) As 
a result, for example, in the case of f{u) = u® -I- u^, F289) has the size of 

179-bit and its Pmax has the size of 134-bit. However, Pmax divides (2”)^^ — 1. 
Therefore, the Jacobian does not satisfy C2’ (see also EEHl). 

In the case of h{u) = 1, We have failed to obtain secure jacobians, which 
satisfy Cl and C2’. However, in |Ko98j . Koblitz examined the case of h{u) = u 
and showed examples of secure jacobians. We have examined the case of more 
wider classes such that h{u) has degree at most g. As a result, P(C;F289) of 
C : v'^ + {u^ + u + l)u = + u + 1 has the size of 179-bit. Its Pmax has the 

size of 178-bit. We also confirmed the Jacobian satisfies C2’. The factorization 
of the Jacobian is given in Appendix A. 

5.2 Curves of Geuus Larger thau 2 

Next, we examine ttJ((7;F2n) and their factorizations in the case of curves C : 
+ v = f{u) have genus 3, 4, 5 or 6, where degree of f{u) equals to 7, 9, 11 or 
13, respectively. 

Table 0 shows the list of the size of jjJ(C';F2»*) and the size of Pmax- The 
factorizations are given in Appendix A. Extension degree n of F2" were examined 
by n such that jlJ(C'; F2*») has the size of larger than 160-bit. Namely, if listed 
jacobians are secure, their level of security are approximately same as RSA-1024 
or with a larger key. The listed equations of curves C have largest Pmax in fixed 
extension degree n. In the case of genus 5, all prime factors of jlJ(C; F237) have 
much smaller size than 160-bit. Therefore, J(C';F24i) are listed. 

We have examined whether Pmax of ttJ(C';F2n) divide — 1 to confirm 
the security condition C2’. All listed P(C; F 2 ") satisfy C2’. Namely, Pmax does 

^ The notation ” same level of security" is based on the following: One of the most 
efficient algorithm of integer factoring is the number field sieve method. The method 
takes ea;p(c(lnn)^^®(lnlnn)^/®) time, where 1.5 < c < 1.9 and n denotes the size 
of an integer. On the other hand, Pohlig-Hellman method, which is an efficient 
algorithm for discrete logarithm problem for elliptic curve, takes y/Pmax- Therefore, 
for example, EC-160 has approximately same level of security as RSA-1024. 
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genus 


J 


C : + V = f{u) 


size of IfJ 


size of Pmax 


3 


J(C-;F259) 


f{u) = u' 


178-bit 


165-bit 


4 


J(C;F24i) 


f(u) = + u' -\- u"' + 1 


164-bit 


161-bit 


5 


J(C;F24i) 


f{u) = -|- -1- U + 1 


205-bit 


201-bit 


6 


J(C;F229) 


f(u) = + u' + + 1 


174-bit 


170-bit 



Table 1. Jacobians over char 2 finite fields of genus 3,4,5 and 6 curves 



not divide (g”)^ — 1 with small k. Therefore, the curves shown in Tableware 
secure and have the same or higher level of security as RSA-1024. We implement 
group operations of the jacobians in software in a later section. 

6 Jacobians over Finite Fields of Characteristic Larger 
than Two 

In this section, we examine genus 2 curves over characteristic 3, 5 and 7 finite 
fields. Moreover, we examine genus 3 and 4 curves. 

6.1 Genus 2 Curves 

First, we examine the curve C : = f{u), where f{u) has degree 5. Tables 0 

01 and El show the list of the size of ttJ(C';Fpn) and the size of Pmax in the case 
of p = 3, 5, 7, respectively. Tabulated are in the case that the coefficients of the 
curves are in {0,1}. The factorizations of jlJ(C; Fpn.) are given in Appendix A. 

In the case of characteristic 3, extension degree n of F 3 »i were examined from 
37 to 59. F337) has the size of 118-bit. jlJ(C; F359) has the size of 188-bit. 

As in the last section, if listed jacobians are secure, their levels of security are 
in the range from approximately RSA-512 to RSA-1024. The listed equations 
of curves C have largest Pmax in fixed extension degree n. As in the case of 
characteristic 3, extension degree n of Fsn was examined from 23 to 43, and 
extension degree n of was examined from 19 to 37. 

We have examined whether Pmax of t|J(C';Fpn) divide (p")^ — 1 to confirm 
the security condition C2’. All listed P(C'; Fpn) in tables El 0and0satisfy C2’. 
Namely, Pmax does not divide (p")^ — 1 with small k. 

6.2 Curves of Geuus Larger thau 2 

Next, we examine the order of jacobians P(C';Fp.^) and their factorizations of 
genus 3 and 4 curves C : = f{u), where degree of f{u) equals to 7 and 9, 

respectively. 

Table 0 shows the list of the size of t|J(C';Fpn) and the size of the largest 
prime factor of Fpn). As in the case of genus 2, there exist secure jacobians 
which satisfy the condition C2’. The factorizations of t|J(C';Fpn) are given in 
Appendix A. 
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J 


C 


size of JJ 


Siz6 of Pmax 


J(C;F337) 


v'^ = + u + 1 


118-bit 


97-bit 


J(C;F34i) 


+U‘‘ + U+1 


130-bit 


116-bit 


J(C;F343) 


v"‘ = +u‘^ + 1 


137-bit 


118-bit 


J(C;F347) 


+ M + 1 


149-bit 


135-bit 


J(C;F353) 


= U^’ + u* + u + 1 


169-bit 


147-bit 


J(C;F339) 


+u‘^ + U^ +U+1 


188-bit 


185-bit 



Table 2. genus 2 cnrves over char 3 fields 



J 


C 


size of JJ 


Siz6 of Pmax 


J(C;F523) 




= u^ 


+ 




-f 




-f 


1 


107-bit 


103-bit 


J(C;Fs29) 




= u^ 


+ 


~ii^ 


-f 




-f 


M -1- 1 


135-bit 


129-bit 


J(C;F53i) 




= u^ 


+ 




-f 








144-bit 


140-bit 


J(C;Fs37) 




= u^ 


+ 




-f 




T 


1 


172-bit 


149-bit 


J(C;F54i) 




= u^ 


+ 




-f 




-f 


1 


19Tbit 


118-bit 


J(C;Fs43) 




= u^ 


+ 




-f 








200-bit 


196-bit 



Table 3. genus 2 curves over char 5 fields 



J 


C 


size of ttJ 


Siz6 of Pmax 


J(C;F719) 


7^ 




+ 




-b 




-b 


17 


-b 1 


107-bit 


76-bit 


J(C; F723) 


v‘‘‘ = 


= u^ 


+ 




-b 




-b 


M -b 1 


130-bit 


118-bit 


J(C;F729) 




= u^ 


-b 




-b 




-b 


1 




164-bit 


157-bit 


J(C;F,3i) 


v‘‘‘ = 


= u^ 


-b 




-b 




-b 




-b 1 


175-bit 


154-bit 


J(C;F737) 


= 


= u^ 


-b 




-b 




-b 


« -b 1 


208-bit 


203-bit 



Table 4. genus 2 curves over char 7 fields 



char 


genus 


J 


C 


size of t|J 


size of Pmax 


3 


3 


J(C;F337) 


= 7 + 7 + 7 + 7 + 1 


176-bit 


171-bit 


4 


J(C;F329) 


=7 + 7 +7 + 7 + 1 


184-bit 


178bit 


5 


3 


J(C;Fs23) 


v‘‘ = u' + 7 + 7 + 1 


161-bit 


154-bit 


4 


J(C;Fgl9) 


= 7 + u‘ + u° + 7 + 7 + u + 1 


177-bit 


168-bit 


7 


3 


J(C;F719) 


7 = M -b -b -b -b M -b 1 


161-bit 


152-bit 


4 


J(C;F717) 


-b u“ -b -b -b -b U -b 1 


191-bit 


181-bit 



Table 5. genus 3 and 4 curves over char 3, 5 and 7 fields 



7 Implementation and Timings 

In this section, we show software implementation and timings of group operations 
in jacobians over characteristic 2 finite fields obtained in previous sections. 

7.1 Computing in Jacobians 

we show here an algorithm for addition and doubling of elements D € J(C; F 2 "). 
A divisor D is regarded simply as a pair of polynomials D = div {a{u),b{u)) 
such that deg b < deg a and deg a < g. We give here a brief description of 








Design of Hyperelliptic Cryptosystems 



89 



the algorithm for the addition: = Dx + D2, where £>3 = div(a3,&3), Di = 

div(ai,6i), D2 = div(a2,&2) (see |( ;A87fKol^ for more details). 



Addition 

Input: two divisors Di = div(ai, bi), D2 = div(a2, 62) £ J 

Output: D3 = div(a3, 63) = Di + £>2 
Step A 1 Compute di,si and S2 which satisfy 
di = gcd(ai, tt2) and di = sifli + S2fl2 
Step A 2 If di = 1 then 

a := aia2, b := sxaib2 + S2ffl2fei (mod a) 
else 

Compute d2,s'i, s'2 and S3 which satisfy 

d.2 = gcd(di, 61 + &2 + h) and d.2 = s'lOi + 5^02 + 83(61 + 62 + 6) 
a := aia2/d|, 6 := (s'10162 + 820261 + 83(6162 + f))/d.2 (mod a) 
Step A3 While deg(o3) > g do the following: 

03 := (/ — 6 — b^)ja, 63 := —h — 6 (mod 03), a 03, 6 := 63 
Step A 4 Return D3 = div(o3,63) 



If ai and 02 have no common factor, Step A2 to be simpler case. Note that 
the case gcd(oi,a2) = 1 is extremely likely if the definition field is large and oi 
and 02 are the coordinates of two randomly chosen elements of the Jacobian. 
When oi = 02 and 61 = 621 he., doubling an element of J(C; F2«), we can take 

52 = 0. Moreover, in the case of char F —2 and h{u) = 1, di = 1, Si = S2 = 0, 

53 = 1, and a = oi^, b = bi^ + f (mod a). Therefore, In the case of J(C; F2») 
and C : v'^ + V = f{u), the doubling can be done in the algorithm as follows. 



Doubling 

Input: a divisor Di = div(ai, 61) G J 

Output: D2 — div(fl2, 62) — Di + Di 
Step DI a := af, b := bf + f (mod a) 

Step D2 While deg(a2) > jr do the following: 

fl2 := (/ — 6 — 6^)/o, 62 := —k — b (mod 02), o := 02, 6 := 62 
Step D3 Return D2 = div(fl2,62) 



Addition and doubling take O(g^) field multiplications. The details of the 
estimation on the computational cost can be found in |SSlh8| . 

7.2 Field Operations 

All operations in addition and doubling of Z? G J(C'; F2»>) are done by operations 
in a finite field, because our divisors D (pair of two polynomials) have coefficients 
in their definition field. We will use a polynomial basis in our implementations. 

7.3 Representation of Field Elements in Memory 

Elements in F2« can be represented as n-bit words in computer memory. If 
CPU has m-bit size of resisters, F2" such as n < m are regarded as sim- 
ply ordinary "unsigned integed\ However, unfortunately, if u > m, we need 
to use "multi-precision" operations for computing. In general, we need such 
multi-precision operations for RSA and elliptic curve cryptosystems. On the 
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other hand, the order of an abelian variety A(Fg) of genus g lies in the range: 
(g| _ i)2g < jlA(F,) < (g3 + l)2i? Therefore, if we choose curves ca- 

refully, hyperelliptic cryptosystems, which have larger genus g curves compared 
to elliptic curve, can be implemented without multi-precision library, because an 
element of the definition field can be stored in computer registers. Such hyperel- 
liptic cryptosystems may have practical performance even though the algorithm 
for addition of D, shown in the last sub-section, is much more expensive than 
the algorithm for addition of points on elliptic curves. 



7.4 Generating Random Divisors 

From cryptosystems point of view, we need to have a method of generating a 
’’random” divisor D G J(C';Fgn). In |Ko89j . Koblitz has given such a method 
in the following way. In our implementation, we have generated divisors D in 
the method. 

We may regard C as defined over Fqn . Let C have the equation -I- h{u)v = 
f{u). Choose the coordinate u = x G Fq at random and attempt to solve -I- 
h{x)v = f{x). In the case of q is even, h{x) ^ 0 and the change of variables 
z = v/h{x) leads to the equation + z = a, where a = f{x)/h{x)‘^. It is easy to 
see that this equation has a solution z G F, if = 0 does not have a 

solution if this trace is 1. In the latter case, we must choose another u = x G Fq 
and start again. In the former case, we can find z as follows: If q = 2" is an odd 
power of 2, simply set ■ 



7.5 Timings 

We have implemented group operations in jacobians over F2« and timed an 
exponentiation, an addition and a doubling of randomly generated divisors using 
the algorithms shown in the previous subsection. An exponentiation was done 
with a simple repeated-doubling method. 

The platforms used were Alpha 21164A (467MHz) and Pentium-II (300MHz). 
Alpha has 64-bit registers and Pentium-II has 32-bit registers. Programs were 
written in C-language. When extension degree n of F2« has a larger size than 
the register size of the CPU, we used GNU-MP library (gmp-2.0.2) for multi- 
precision operations. 

Table El shows the processing time of an exponentiation, an addition and a 
doubling of a randomly given divisor implemented on Alpha 21164A (467MHz) 
and Pentium-II (300MHz). The order of each jacobians j)J(C';F2n) have the 
largest prime factor which has a larger size than 160-bit, namely, they have the 
same or higher level of security as RSA-1024 and EC-160. 

All jacobians of Table El are defined over finite fields F2" with n < 64. The- 
refore, we can implement with no multi-precision library over Alpha 21164A 
(467MHz). J(C; F259) of genus 3 curve C :v^ + v = u'^ achieved 83.3 msec, in an 
exponentiation. Moreover, in the case of Pentium, we should focus on the case 
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g 


J(„-+V = /(M);F2n) 


Addition(msec.) 


Doubling(msec.) 


Exp. (msec.) 


F2- 


/(m) 


Alpha 


Pentium 


Alpha 


Pentium 


Alpha 


Pentium 


3 


F259 


u' 


0.54 


67.6 


0.26 


34.1 


83.3 


1.17- lO"* 


4 


F241 


+U'' +u^ + 1 


0.55 


67.2 


0.26 


33.3 


96.6 


1.09- 10'‘ 


5 


F241 


+ u + 1 


0.88 


109 


0.48 


58.7 


183 


2.36- lO"* 


6 


to 

to 

tD 


-1- +u' +u^ + 1 


0.83 


2.68 


0.44 


1.45 


159 


476 



Table 6. Timings of jacobians which have the same level of security as RSA-1024 on 
Alpha 21164A (467MHz) and Pentium-II (300MHz) 



9 


J 


c 


size of 
P 

■L max 


Addition 

(msec.) 


Doubling 

(msec.) 


Exp. 

(msec.) 


3 


J(C; F289) 


v‘‘ + V = u' 


246-bit 


85.3 


42.8 


2.57- 10'‘ 


3 


J(C'; F2113) 


v‘‘ + V = u' 


310-bit 


118 


58.9 


3.79 • 10'* 


11 


J(C;F 247 ) 


+ v = 


310-bit 


5.04 


3.13 


1.74- 10^ 



Table 7 . Timings of jacobians of C : v'^ + v = which have the same level of 

security as RSA-2048 or RSA-5000 over Alpha 21164A (467MHz) 



J(C; F229) of genus 6 curve C : + v = + 1. An exponen- 

tiation took 476 msec, on Pentium-II (300MHz). This Jacobian achieves good 
performance and faster than other jacobians of smaller genus curves, because of 
the field size. 

Moreover, we have implemented genus 3 and 11 curves, which have the same 
level of security as RSA-2048 and RSA-5000. Table 0 shows the processing time 
of C : v'^ + V = implemented over Alpha 21164A (467MHz). Even if the 

genus is 11, which has the same level of security as RSA-5000, exponentiation 
took 1.79 sec because of its small size of the definition field. 

In the case of elliptic curve cryptosystems, many techniques for an efficient 
implementation has been developed, and timings were reported. For example, 
in fWBV96| . an elliptic curve (over F2177) exponentiation with 177-bit exponent 
achieved 72 msec, on Pentium 133 MHz. In |MOC97j . an elliptic curve (over 
Fp,p = 2^®® — 1825) exponentiation with 169-bit exponent (of a random point) 
achieved 32.54 msec, on Sparc 110 MHz. On the other hand, in the case of hy- 
perelliptic cryptosystems, no such a report has been published. Our hyperelliptic 
curves exponentiation, which have smaller definition fields, are a few times slo- 
wer than the elliptic curves cases. However, our implementation suggests that 
hyperelliptic curve cryptosystems may have practical performance. 
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A Jacobians which have the Same Level of Security as 
RSA-1024 

In this Appendix, we show jacobians such that the largest prime factor (Pmax) of 
j)J((7;Fqn) has the size of approximately 

A.l Characteristic 2 
Genus 2 curves 

J(C; F 289 ), C:v^ + {u^+u+l)v = u^ + u+ I/F 2 (P^,,:178-bit) 

P = 2 • 191561942608242456073498418252108663615312031512914969 

Genus 3 curves 

J(C7; F 259 ), C:v^ + v = u^Fj (P„a,: 165-bit) 

P = 7 • 827 • 33090679324276404784037550343359349791850702512053 

Genus 4 curves 

J(C;F24i), C : + V = + u'^ + + I/F 2 {Pmax'A&l-hiX) 

P = 11 • 2125818615244041340661452662120917241919480417187 

Genus 5 curves 

J(C;F24i),C’ ; -\- v = -t-u^ -t-u-i- I/F 2 (Pmax: 20 1-bit) 

P = 29 • 1773173014354747890253199550169173842018096398692873319662133 

Genus 6 curves 

J(C; F 229 ), C : v‘^ V = A- -t- v7 -t- -t- I/F 2 (Pmax:170-bit) 

P = 23 • 1040988300089925365337867649065425169641062000079783 
J(C; F 229 ), C:v^ + v = u^^ + u^^+u^+u^ + I/F 2 (Pmax:171-bit) 

P = 13- 1841646667025959098054051155819603805847557201575621 

A. 2 Characteristic 3 
Genus 2 curves 

J(C';F359),C:r2 +u^ + u^ + U+I/F 3 (Pmax: 185-bit) 

P = 5 • 39933562220320460133120368418577581396339849557868704977 

Genus 3 curves 

J(C7;F337),C:u2 = u'^ + + I/F 3 (Pmax:171-bit) 

P = 5 •7-2608502325966498106517804088886290895899401162747777 
J(C;F 337 ), C : v'^ = + u'^ + + u'^ + I/F 3 (Pmax: 164-bit) 

P = 47 • 149 • 13036924465204430321626282159677955928081271322337 

Genus 4 curves 

J(C; F 329 ), C : iJ A~ u A- I/F 3 (Pmax: 177-bit) 

P = 137 • 161936596667550201850764509341446010074223174018351807 
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J{C-,Fs 29),C :v^ =m®+m® + m®+m® + 1/F3 (P™a.:178-bit) 

P = 2 • 43 • 257968616884115037815521227015137018694634859077456601 
J(C; F 329 ), C ; + «^ + u® + + u + I/F 3 178-bit) 

P = 2 • 53 • 209295417307275986159417399889573453667424414714367781 
J(C;F329),C;n2 = + I/F3 (P™a.:178-bit) 

P = 3 • 37 • 199867665359855144576119236835076831435089172471787133 
J (C7; F 329 ),C : -t- vj -t- u® -t- u® -t- u \ /F 3 {Fmax : 178-bit) 

P = 5 • 19 • 233529568966516115208148703607774647750483532026125357 

A. 3 Characteristic 5 

Genus 2 curves 

J(C;F 543 ),C : v^^u^+u^ + I/F 5 196-bit) 

P = 2 • 2 • 5 • 64623485355705134605734078473194763210739812239980205784653 



Genus 3 curves 

J(C;F 523 ),C;n 2 = -b m® - b + I/F 5 154-bit) 

P = 3 • 43 • 13132293573869607525341363618339646743815332017 

Genus 4 curves 

J(C';F519),C:v 2 =M®-bn®-bM^-bM®-bl/F5 (P™a.:166-bit) 

P = 2 • 967 • 68432754693421761179795901150463384835984065125361 
J (C; F 519 ) , C ; -b v7 -b u® -b "n® -b t/® -b u -b 1 /F 5 {Pmax • 168-bit) 

P = 3 • 151 • 292161172338621074756327634541902615881173270592929 
J(C;F 5 l 9 ),C : -bt/® iJ -bn-b I/F 5 (Piriaa;- 167-bit) 

p = 17 • 73 • 106647119155998044412946215375749800145892212819953 

A. 4 Characteristic 7 

Genus 2 curves 

J{C-,F^29),C :v^ =U^ +U^ + U^ + I/F 7 {Pmax-.157-hit) 
p = 79 • 131237887042242857431066650243988190313418218301 

Genus 3 curves 

J(C;F 719 ),C;v 2 = -b m® - b m® - b m® - b m - b I/F 7 (P™a.:152-bit) 

P = 2® • 41 • 4515589388807654345104182483396611659561472503 

Genus 4 curves 

J(C; F 717 ), C : = M® -b M® -b u® -b M® -b M® -b u -b I/F 7 (P^,,: 181-bit) 

P = 2® • 97 • 1887013872967731362035225483450574087672233509002381911 

B Curves of + u = over F2 

In this Appendix, we show jacobians oi C : +v = in the case of g = 3, 11. 

Genus 3 curves 

J(C; F 259 ), C:v^ + v = mVF 2 (P^a.: 165-bit) 

P = 7 • 827 • 33090679324276404784037550343359349791850702512053 
J(C;F 289 ),C ; + v = mVFj (P^„,: 264-bit) 

P = 7- 179-2671 • 708571831223255331278233257920542432444353038831539933625391 
34263544967267 

J(C; F 2113 ), C:v^+v = mVF 2 (P^„,:310-bit) 

P = 7- 1583-75937- 1330871544591258503904350594363988884236263515175406042076 
326739667429564571295519238138050393 

Genus 11 curves 

J(C; F 247 ), C:v^ + v = «^®/F 2 (P^a.:310-bit) 

P = 3-23-29-34687-254741-381077-836413-4370719-122803256446193-101578405621916 
029-1396360023741601228722804905934361404439480177105909460096120108013 
867835189294124093667687457 




Construction of Secure Elliptic Cryptosystems 
Using CM Tests and Liftings 



Jinhui Chao^, Osamu Nakamura^, Kohji Sobataka^, and Shigeo Tsujii^ 

^ Dept, of Electrical and Electronic Engineering, Chuo University, Tokyo, Japan 
^ Dept, of Information and Engineering Systems, Chuo University, Tokyo, Japan 
jchaoOelect . chuo-u. ac . jp, sobaOchao . elect . chuo-u. ac . jp, 
tsujiiOise . chuo-u. ac . jp 



Abstract. Elliptic curves over number fields with CM can be used to 
design non-isogenous elliptic cryptosystems over hnite helds efficiently. 

The existing algorithm to build such CM curves, so-called the CM held 
algorithm, is based on analytic expansion of modular functions, costing 
computations of where h is the class number of the en- 

domorphism ring of the CM curve. Thus it is effective only in the small 
class number cases. 

This paper presents polynomial time algorithms in h to build CM elliptic 
curves over number helds. In the hrst part, probabilistic probabilistic 
algorithms of CM tests are presented to hnd elliptic curves with CM 
without restriction on class numbers. In the second part, we show how 
to construct ring class helds from ray class helds. Finally, a deterministic 
algorithm for lifting the ring class equations from small hnite helds thus 
construct CM curves is presented. Its complexity is shown as 0{h7). 

1 Introduction 

Elliptic curves over finite fields have been used in recent public key cryptosy- 
stems, authentication and signature schemes. The discrete logarithm problems 
over the elliptic curves can resist all known subexponential attacks, which then 
can implement cryptographic schemes in higher speed and less key sizes while 
retain the same security comparing with traditional cryptographic functions 

mMm- 

Among the methods to construct explicitly secure elliptic curves over finite fields 
for cryptosystem applications, the point-counting algorithms, now known as the 
SEA algorithms can find secure curves over finite fields from randomly selected 
elliptic curves, but still be quite time consuming since they generally need to be 
repeated many times until a secure curve is found isziraisiEiizDira. Another 
difficulty of this approach is that when one wishes to choose different curves 
for different users or periodically change curves over finite fields in the same 
cryptosystem, he has to undergo the whole process of the above calculations, or 
it always takes the same computations in order to obtain any new secure curves 
and cryptosystems. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 95-|Tnn| 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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According to nn, if the same curve over a finite field is repeatedly used in an 
elliptic cryptosystem, even each time with a random base point, one can ea- 
sily transform the new discrete logarithm problem into the old one. Thus the 
old database can be made good use of such that one can attack this kind of 
cryptosystems faster, comparing with those which switch each time to a new or 
non-isogenous curve over a finite field. Furthermore, if one is willing to build a 
large database, then with certain variations of the Baby step Giant step algo- 
rithm, one can attack the cryptosystems using a fixed curve over a finite field 
in time of d > 2, rather than the standard complexity of the Baby step 

and Giant step algorithm: 0{^/q). 

Another approach to build secure elliptic curves over finite fields, which is much 
faster and meets the requirement to change to non-isogenous curves frequently, 
is to use a family of elliptic curves defined over number fields, i.e. those with 
complex multiplication or GM elliptic curves m PiiHiiiinj. 

In fact, the GM curves may not be easy to find, but once a GM curve over 
a number field is built, one can use very simple and fast algorithms to design 
directly non-isogenous curves over finite fields with different and maybe prespe- 
cified (almost prime) orders, therefore different secure cryptosystems as many as 
one wishes, if he changes the characteristics and extension degrees of the finite 
definition fields. This can be done by efficient algorithms of reduced quadratic 
forms (see appendix) or the Gornacchia algorithm. 

As to the security of using GM curves, it is known that all elliptic curves over 
finite fields are with GM (so usually they are not referred to as GM curves and 
we will leave the name exclusively to curves over number fields). Furthermore, 
each elliptic curve over a finite field is the reduction of an GM curve (known 
as its Deuring’s lifting) over a certain number field. If there were any attack 
which works effective particularly for the elliptic cryptosystems designed from 
GM curves, we may need only to consider the lifting attacks which lift the elliptic 
curves over finite fields to their Deuring’s liftings over number fields and solve 
the discrete logarithm problems over number fields. However, it is well known 
that these kind of attacks seem exponentially hard due to difficulty in lifting the 
rational points of elliptic curves from finite fields to number fields, the exponen- 
tially explosion of the heights of these rational points over number fields, and the 
finite rank of their Mordell-Weil groups. In fact, these are the same arguments 
known for security of general elliptic cryptosystems m. i-e., on the immunity 
of generic elliptic curves from attacks of the index-calculus algorithm. 

Existing algorithms used for construction of GM curves, somewhat vaguely called 
“GM field algorithms”, are based on construction of class fields using analytic 
series expansions of the modular functions over cm and also 0C3) 

Although theoretically these algorithms can build any elliptic curve over fi- 
nite fields, they seemed tedious and always involved with problems such as 
approximation errors. Their complexity is known as an exponential function 
0(2 ®^/^/i^i/ 4) of the class number h, assuming the elliptic curves have their en- 
domorphism rings as an imaginary quadratic order with the class number h. 
Therefore, they becomes impractical for large class numbers. 
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Besides, the scenario of the CM field algorithms, i.e. to start from a particular 
order of an elliptic curve over a given finite field, then calculate the j-invariant 
of the elliptic curve over the class field and finally define the model of the elliptic 
curve over the finite field with the assigned order, seems somewhat misleading 
and unnecessarily involved. 

In fact, a clearer and simpler scenario consists of two stages. The first one is to 
build an explicit model of a CM curve over the class field. The second stage is to 
design the order of the curve over a finite field. The computation time of the first 
stage is obviously dominant. As long as one has a model of elliptic curve with 
CM over a number field, as mentioned before, he can use this curve to design 
different isogenous classes of secure curves over large finite fields. 

It maybe interesting to notice the curves over finite fields with the Frobenius en- 
domorphisms with small traces or the endomorphism rings of large class numbers 
can be most quickly calculated by the SEA algorithms, while the curves with 
the endomorphism rings of small class numbers or the Frobenius endomorphisms 
with large traces are most easily dealt by the algorithms using CM curves but 
are of most time consuming for the SEA algorithms. 

Thus, the key issue in using CM curves to design elliptic cryptosystems is to find 
models of CM elliptic curves over number fields efficiently, in copious supply, and 
with endomorphism rings of large discriminants or class numbers. 

In ^S][Znii we shown probabilistic algorithms to find random CM elliptic and 
higher genus curves by CM tests, which requires no calculation of j-invariants 
or class equations. 

In this paper, we first show the CM test algorithms in a more complete form 
to find random CM curves. Then we show how to construct ring class fields 
or the definition fields of the CM curves without explicit construction of class 
equations, i.e. from ray class fields which can be easily derived using division po- 
lynomials. Finally, an efficient deterministic algorithm for lifting the ring class 
equations from small finite fields is presented to construct CM curves. The com- 
plexity of this algorithm is of polynomial time in the class number h: 0{h7). All 
calculations in these algorithms are simple and easy to implement. Since there 
is only algebraic manipulations involved, no care is needed about approximation 
errors control during the calculations. 

An interesting generalization of these algorithms is to Jacobian varieties of al- 
gebraic curves of higher genera [E] (see also 0). 

2 CM Tests for Elliptic Curves 

We show in this section fast algorithms to test if an elliptic curve over a number 
field is with CM, which can be used to find random CM curves over number 
fields without calculation of j-invariants and their class equations. 

Definition 1. An elliptic curve E over a field F is with complex multiplication 
or a CM elliptic curve if its endomorphism ring EndpE contains the rational 
integral ring Z as a proper subring. 
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We refer the details of theory of complex multiplication to standard references. 

e.g. CZ1E3IIH11SI- 

Definition 2. An elliptic curve which passed a CM test is called a pseudo-CM 
elliptic curve. 

Let be a number field. Bellow, we denote the residue field of a rational prime 
p in F as Fq, D the discriminant of 

an imaginary quadratic number field Q{\^),A < 0, as CM fields of ordinary 
elliptic curves, i.e. End°F :=EndF Q = Q{\/~A). 



Algorithm 1 (CM tests) 

Procedure 1 (Ordinary rednction) m 

Input : Random elliptic curves E/F\ 

Output : Pseudo-CM curves and the discriminants of their CM fields. 

Step 1 Choose a small prime p\ such that E/Fq.^ is an ordinary reduction. Find 
the discriminant d\ = l\Ai{Ai. square free) of the characteristic polynomial 
of the Frobenius endomorphism; 

Step 2 Choose small primes pi, t = 2, • • • , A such that (^) = 1, then for EjFq. 
find the discriminant of the Frobenius endomorphism di = l\Ai. If Ai = 
Z\i for all i, output F as a pseudo-CM curve with the discriminant Di. 
Otherwise, output E/F as without CM. 

Procedure 2 (Supersingular reduction) 

Input : Random elliptic curves E/F] 

Output : Pseudo-CM curves and the discriminants of their CM fields. 

Step 1 Choose a small prime pi such that E/Fq.^ is an ordinary reduction. Find 
the discriminant d\ = l\Ai of the characteristic polynomial of the Frobenius 
endomorphism; 

Step 2 Choose small primes pt,i = such that (^) = —1, then if 

E/Fp 2 are supersingular or an additive bad reduction for all i , output 
E as a pseudo-CM curve with the discriminant Di . Otherwise, output E/E 
as without CM. 

Procedure 3 (bad reduction) 

Input : Random elliptic curves E/F] 

Output : Pseudo-CM curves and the discriminants of their CM fields. 

Step 1 Choose a small prime pi such that E /F q.^ is an ordinary reduction. Find 
the discriminant di = l^Ai of the characteristic polynomial of the Frobenius 
endomorphism; 

Step 2 Choose small primes Pi such that (^) = 0, then if E/Fp 2 are supersin- 
gular or an additive bad reduction for all i, output E as a pseudo-CM curve 
with the discriminant Di. Otherwise, output E/F as without CM. 
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Remark 1: The calculations in these tests can be obviously done by fast algo- 
rithms in polynomial time in log Pamx- 

Remark 2: With extra computations, the step 2 can be refined to identify the 
isomorphism types of the endomorphism rings by e.g. Kohel’s algorithm uni 
In that case, one will be able to output the discriminants of the endomorphism 
rings. 

Remark 3: Naturally one can combine these procedures to raise the computa- 
tional efficiency, e.g. after the step 1, for the first N primes apply the step 2 of 
each procedures. Besides, the latter two ones should be applied first. Ordinary 
reductions over prime fields are also preferable. 

If the class equation was known, one can use the following test which is based 
on the result of Gross-Zagier PH, which is very sharp but the calculation of 
discriminant becomes heavy for large class numbers. 

Gross-Zagier test 

Input f{x) € Z[x]: a polynomial; d € Z_: discriminant of a CM field. 

Output If f{x) is the class polynomial Hd{x). 

Step 1 If the constant term of f{x) is not d-smooth, output NO; 

Step 2 If the discriminant of f{x) is not (3/4)d-smooth, output NO; 

Step 3 Output f{x) = Hd{x). 

3 Construction of Ring; Class Fields from Ray Class 
Fields 

Let k = Q{'/A){A < 0: square free) be an imaginary quadratic number field, 
D the discriminant of fc, h{D) the class number of k, Ok the integral ring of 
k, Oc an order of Ok of conductor c with discriminant d = c^D, k^^^g the ring 
class field modulo (c), the ray class field modulo (c), kabs the abstract or 
Hilbert class field of k. Hd{x) the Hilbert class equation and Hd{x) the ring 
class equation of Oc- 

Let T" be a number field, an elliptic curve E/F is with CM if its endomorphism 
ring Endi^’if is an order Oc of an imaginary quadratic number field k = Q{y/A), 
where c is the conductor of Oc- Furthermore, an elliptic curve with CM has a 
model over the ring class field modulo {c),k%cig- (Specifically, certain subfields 
sometimes called its moduli fields.) 

In fact, to construct a ring class field, over which the CM elliptic curves are 
defined, is not the same thing to find the singular moduli or the j-invariants 
which generate the ring class field. As shown bellow, the former could be much 
easier than the latter. 

It is known that one can obtain ring class fields from the genus fields when d 
are chosen as Euler’s convenient numbers. Bellow, we obtain the ring class fields 
from the ray class fields easily. Let Xc be the x-coordinate of a c-torsion point 
in E[c\, wd — h{wD,Oc) the Weber function. 
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Algorithm 2 

Input : d = c^D: Discriminant of an imaginary quadratic order in fc = 
or c: its conductor; 

Output : A moduli field Q{j{Oc)) of a ray (ring) class field modulo (c). 

Step 1 Find an elliptic curve E/kats with CM such that 

Endfc^^^Fi = Ok 

whose j-invariant equals j{Ok) G kabs] 

Step 2 Calculate the c-division polynomial of E, ifc(x) G Z[x]; 

Step 3 Find irreducible factors of ipc{x), fc{x); 

Step 4 Find the moduli fields in a;c) = Q(j(Oc), h(wD,Oc)) which 

are generated by twice simple extensions with the Eljy^x) and fc{x) as the 
minimal polynomials. 

Remark 1: Since the division polynomials can be easily calculated, one may 
wish to chose k = Q{'/A) with small class number h{D). 

Remark 2: If one chooses h{D) = I, or one uses the thirteen elliptic curves 
over Q, then one finds in k^^y the moduli field Q(xc) = Q{j{Oc),h) with the 
minimal polynomial as fc{x). 

In this way, one can readily produce a ring class field or its moduli field, which 
can be used in the CM test algorithms in the previous section as definition fields 
of CM elliptic curves. 

However, since CM curves over a particular number field are of finite number 
so the probability to find them could be very low. One may wish to use more 
efficient and deterministic algorithm to find a CM curve by calculation of the 
ring class equation Eld{x), which is also a minimal polynomial of Q{j{Oc))- To 
present such an algorithm will be the task of the following section. 



4 Lifting CM Elliptic Curves fROM Finite Fields 

Let E{j) as a model of an elliptic curve with j as its j-invariant . For p 2,3, 

3j 2j 



E{j) : y =x-^ - - 



:X — 



j - 1728 j - 1728 



or for any characteristics. 



E{j) : y'^ + xy = x^ - - 



36 



1 



j - 1728 j - 1728 



Algorithm 3: 

Input : d = (?D < 0: Discriminant of an imaginary quadratic order in Q[-\/ A)', 
Output : The ring class equation Hd{x). 
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step 1 Using the Algorithm 2 to construct a moduli field F of a ring class field 

nc 

^ring") 

step 2 For small prime Pi , let be the residue field of the rational prime Pi 
in Op. 

1. If (d/pi) = 1, find among all E{j)/Fq^ for Vj G h{d) isogenous but 
non-isomorphic elliptic curves Eg, s = 1, - ■ ■ ,h{d) such that 

4:q, = t'f-cfd, where E = Qi + 1 - ^Eg{FgJ 

Then from the h{d) j-invariants of Eg, jig G F^., calculate the ring class 
equation modpi as 

h{d) 

Hd{X) mod pi= (a; - jis) 

S = 1 

2. If (d/pi) = —I, find among all E{j)/Fp 2 for Vj G Fp 2 , h{d) isogenous 
but non-isomorphic elliptic curves Eg,s = l,---,h{d) s.t. they are su- 
persingular or additive bad reductions. 

Then from h{d) j-invariants of Eg, jig G F ^2 calculate the ring class 
equation modpi 

h{d) 

Hd{X) mod pi= (a; - jis) 

S = 1 

3. If (d/pi) = 0, find among all E{j)/ Fp 2 ,'ij G Fp 2 , h{d) isogenous but 
non-isomorphic elliptic curves Eg s.t. Eg/Fp 2 are supersingular or addi- 
tive bad reductions. 

Then from h{d) j-invariants of Eg, jig G F ^2 calculate the ring class 
equation modpi 

h{d) 

Hd{X) mod pi= (a; - jig) 

S = 1 

step 3 By the Chinese Remainder Theorem (CRT) to lift the coefficients of 

Hd{x) mod n Pf 



to Z[x\; 

Step 4 If the E{j) defined by the lifted ring class equation passes the CM tests 
in the Algorithm 1 or the Gross-Zagier test, then output Hd{x) mod Hi Pi 
as the ring class equation Hd{x), and F(j) as a pseudo-CM elliptic curve; If 
not goto step 3 to add one more prime pi or try other combinations. 

Remark 1: Considering increase of the size of the coefficients of class equations, 
one may first calculate the Weber class invariants / from j-invariants over finite 
fields, 

{x — 16)^ = jx mod Pi, X = mod pi 
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then lift the Weber class equations, which will allow us to lift the class equations 
of large class numbers. The details are referred to [3 Pete. 

Remark 2: To avoid the combinations, one can use only p s.t. there is few 
ambiguity in conductors. A more complete version should include the Kohel’s 
deterministic algorithm to distinguish the isomorphism types of full endomor- 
phism rings of the elliptic curves Eg /F,m- e.g. in ordinary lifting to choose 
Eg s.t. 

End w Eg = Oc = Z + cOk ■ 

In supersingular lifting, check at first that if the endomorphism rings of the 
curves contain an optimal embedding of Oc, the imaginary order which is chosen 
as the endomorphism ring of the target CM curve. 

Remark 3: In fact, lifting from only prime fields is possible once a discriminant 
is chosen appropriately. Thus there is no need to build the ring class field a 
priori even in implicit form. Thus, by using only the lifting from prime fields, 
calculation of the division polynomials can also be omitted. In fact, the Hilbert 
class equations can also be lifted in the similar way. 



5 Examples of CM Tests 

We applied the ordinary reduction CM test of the Algorithm 1 to the elliptic 
curve over Q: 



y^ = x^ 



3-J 



— 



2-j 



j - 1728 j - 1728 
and take pi = 709, the other small primes Pi > 300 (* = 2, • • • , 10). 

The nine tests {i = 2, ..., 10) for 64847 random curves are shown in the table, 
the second row shows the number of non-CM curves which are rejected at the 
i-th tests in Step 2. It can be observed that almost all of them are rejected by 
double or triple tests and none of the non-CM curves passed the first five tests. 



i-th test 


2 


3 


4 


5 


6 


7 


8 


9 


10 


#{ rejected curves} 


64301 


518 


25 


0 


1 


0 


0 


0 


0 



There are only two curves which passed the fifth and all tests, i.e. Di = Di, {i = 
2, • • • , 10). Their j-invariants are 



j = -15^ -32^. 

As we know, they are truly CM curves. 

In fact, the supersingular and bad reduction tests distinguish even sharper ly 
between CM and non-CM curves (see proof of the algorithm 1 for reasons). 

6 Examples of Construction of CM Curves 

Take h = 174, d = —153164 with (c = 118, D = —11). The Weber class 
polynomial Wd{x) is lifted from the following 19 ordinary reduction over prime 
fields. 

Pi e {38327,38867,39191,47507,51287,52691,54167,62627,68567, 

79907, 84947, 93047, 95891, 98807, 111191, 114467, 128291, 131927, 167891} 
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Bellow, we show a part of it with small coefficients. 



W-i53ie4{x) 

= 83076749736557242056487941267521536 

- 4232368399273964044280928775760664985876824064a; 

+ 368084924605827377544121672324954875583624416829269606400a:^ 

- 2624275748798208471286500076638458909115778156744604022472704a:® 

+ 8768678806186421348959550570215271161369890321457063686916014080a:'‘ 

- 16489781241655501731333261028106256316481417674894072363666938789888a:® 

+ 14052650996984969061469817388935214478719631395032143945942480768204800a:® 

+ 1316957698534275587146922152174696937230311641236011640140627175897300992x’' 

+ 187665207401131363842364719953353882740237213600641308745260223568262725632a:® 
+ 9929870984621621110287976074219416286030985077769098391402624741340090466304X® 



- 498385867114204441246977838588634367662038236393449178393485837068811632640x^“ 
+ 222970691621676521401110152440392282193616066963741904000906730189831012352x^“® 
+ 71080649261462583121962968317120128417730350894483994673224565837242826752x®“ 

- 95122601321218621133257525298511335715258057070859322566145377909417705472X®'*® 
+ 45219601136166877968863776507347766787306724663008364023307302917660213248x®^® 

- 13346061303836276974162247560906288805918444808171101290600486055341195264X®'*’' 
+ 2533735473792111974391355595590062676497167379451579138250701044846166016X®'*® 

- 229201449717292818384655381307402624408559424743601060833918221335658496X®"'® 

- 29127664490959341147148412087645366104070287020397722579723027980550144x^®“ 

+ 14473860267302632756826256334560085209007765402939877697784495917760512X®®® 

- 2258112416377924786281462113964443394489436517493007632007103426592768X®®® 

+ 2191193264864268167310930742639559955626079860434096600677158158336X®®® 

+ 83836468686457016900558579197995051923247695888030811048035749789696x®®^ 

- 23025424599572008411114916423247916567389594073896600604833512751104X®®® 

+ 3834682400163324134854949226517179178979089247690717009845226315776X®®® 

- 457505404001041586182668848182865820193202098775388834291888537600x®®^ 

+ 40674500946996572573885826017965346465580116302611164077330751488X®®® 

- 2699648084973365920217575137475352359496836221720470856357117952X®®® 

+ 132458322755123835013929151419628962052310054314389457199693824x®®“ 

- 4893615642550662455198795674033213950647022335765111251312640x^®® 

+ 156712318726930577063317755711719630708326947754625000143360x^®® 

- 5285944355408478850726603092149503114717138786904546490368X®®® 

+ 155217476948404923556197740083703204385132790278101561344x®®“ 

- 3239096798144628226875867231556073257899072332049833728x^®® 

+ 94021480417507776562198777980278043552510520463707904X®®® 
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- 229630960711252290445040913713427951765596468574464a;^®'^ 

- 3429592761776584363504935760776221071566271657712a;^®® 

- 9752861942166664038528762369130374074251013536®^®® 

- 553178966475435712930872308777998684975056®^'^° 

- 12039696790209383877109384281205985464®^^^ 

+ 159660091018550701603559721992®^’’^ 

- 17722643006531637142016®^’’° + 



The discriminant of the class polynomial and its constant term passed the Gross- 
Zagier test, the latter has factorization as 

83076749736557242056487941267521536 = 2“® 



7 Examples for Cryptosystem Design 

Use the above CM curve {d = —153164), an almost prime elliptic curve E over a 
prime finite field Fp is obtained using the Algorithm 4 in the Appendix, where 

p = 6411233586778658698012854170834647184757484423031 
#E{Fp) = 6411233586778658698012849108768570758807340538364 
= 2^ * 3 * 1039 * Pmax 

= 514215077540797136510494795377652450979093723 
The curve has its j-invariant as 

j - inv = 37794183507581776432669939667057046706278554144 

The definition equation of this curve y'^ = x^+ax+b has the following coefficients. 

a = 4424050837045189024624780453466068541773776795332 
b = 5086445086956345582420805025922261422768346004565 

8 Proof of the Algorithms 
Theorem 3. In the Algorithm 1 , 

(1) Any elliptic curve E/F rejected is without complex multiplication; 

(2) The elliptic curves accepted are with high probability with complex multipli- 
cation. 

Sketch of proof: Without loss of generality, we assume that E D fc.(If not one 

can use F := Fk). 

According to the Neron-Ogg-Shafarevitch criterion, the Grossencharacter ipE/F 
is unramified if and only if the elliptic curve E/F has good reduction. In particu- 
lar, for CM curves, if pi splits in Q{'/A), E/Fg. is an ordinary reduction. While 
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only when the pi is inert or ramified in Q{y/A), E/Fq. could have supersingular 
good reduction. 

It is known by a result of Serre and Tate that CM curves have potential good 
reduction. Thus they only could have unstable or additive bad reduction. 

Let be a prime ideal of Op lying over pi. By the Deuring’s reduction theory 
of elliptic curves, the reduction mod fpi induces an injective ring homomorphism 
of endomorphisms of the elliptic curve EndFL- to Endp E. This map however 
induces a field isomorphism between the endomorphism fields if the elliptic curve 
is with CM and the reduction is ordinary. 

Thus, if a curve E is non-CM and E/Fg. is an ordinary reduction, then End p E 

will be imaginary quadratic fields with random discriminants. On the other hand, 
if a curve is CM, one will have the same End ^ E for any ordinary reduction at p. 

Thus, the ordinary test will always reject non-CM curves and after N repetance 
of the ordinary reduction, the survived curves will be with CM in probability 
larger than 1 — 1/2^. 

As to the supersingular reduction, it is known by Serre that for generic curves, 
the set of primes S{x) = {pi < x\E/Fq. is supersingular } has density of zero and 
is conjectured that ^S{x)/tt{x) — 0{l/^/x). The bad reduction at the chosen 
primes is even much rare for non-CM curves. Therefore, the later two tests can 
abandon non-CM curves even more efficiently or with higher probability. QED 

Theorem 4. The Algorithm 2 outputs the moduli field Q(j(Oc)) of the ring 
class field modulo (c) . 

Sketch of proof: By the second main theorem of complex multinlication [T7j j,'f2) 

PH, 

^ray — ^a6s(^c) — ^(j (Clfc) , Xc) . 

where Xc is the x-coordinate of a c-torsion point in E[c], and kl^^^g are 
the ray class field and the ring class field modulo (c), kabs = k{j{Ok)) and 

Kzng = 

On the other hand, one knows that 

Kay = kl;,^y{h{wD,0,)) = k{j{0,),h{wn,0a)) 
where wd = h{wD,Oc) is the Weber function. 

Thus, the ring class field k'^^^g, as an extension of kabs also, can be constructed 
as a subfield of the ray class field k'fay Its moduli field can be found also as a 
subfield. QED 

Theorem 5. The Algorithm 3 outputs the ring class equation Hfix), thus all 
the CM curves E with the End E = Oc C Ok, where k = Q(\/A). 

Sketch of proof: Here we assume that the imaginary quadratic field k is not 

contained in the moduli field F = Q(jc) of k^^^g- Then K = k^^^^^g = Fk. A 
rational prime p € Z decomposes into (p)Ok =pp’ where p. p’ are prime ideals 
in Ok- Similarly, a prime ideal ^ in Op decomposes into ^Ok =00'- 
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By the criterion of Neron-Ogg-Shararevitch, one can prove that E has ever- 
ywhere potentially good reduction which means that j is integral at all primes 
£3 in Ok- Thus for CM curves, the minimal polynomials of j Hd{x) S Z\x], one 
can find the ring class equation Hd{x) mod Pi from Egimod £li where Qi lying 
over Pi then use the CRT to recover the Hd{x). 

The next task is to look for reduction of h{d) j-invariants of CM elliptic curves 
which are Galois conjugates each other. This can be done using again ramificia- 
tion properties of the Grossencharacter ij^E/K- 

e.g. the Emo(Ep is a good reduction if and only if ij^E/K is unramified. Parti- 
cularly ifmodfp is ordinary reduction if and only if splits in Ok or p’ 
or (d/p) = 1. ifmodip is a supersingular reduction or additive bad reduction 
if fp remains inert or ramifies in Ok, i-e., p remains inert or ramifies in Ok or 
(d/p) = 0,-1. 

These features can be distinguished from the endomorphism rings or calculation 
with the Frobenius endomorphism. 

Besides, it is easy to prove that the degrees of pds which induce supersingular 
and bad reductions in the moduli field Q{j{Oc)) are less than two. Thus, it is 
enough to look for the candidates of CM j-invariants over Fp 2 . QED 



9 Complexity Analysis 



It is known that for the CM field algorithm by Atkin and Morain, the precision 
needed to calculate a class equation with the class number ft, is by P 



Prec(d) 




The number of terms required in series expansion of j-invariants is 

S ^ 2(log6 + Pre^d)loglO) 

37Tv/d 

Using Sterling’s formula: n! = (n/e)”\/27m, and ft = 0(-\/d), Prec(d) = 0(2^ft^/^) 
and the number of terms required in series expansion is 0(2^/^ft^/'^). Thus its 
complexity is of an exponential function of ft. 

Now we analyze the complexity of the Algorithm 3. Since j = 0{e^^) , the 
largest coefficient in the class equations is in order of 

To lift it by the CRT, it needs to repeat the lifting procedures over 0{h^) finite 
fields Fg^, of which the sizes are also 0{h^). Checks through all elements of 
each Fq. as candidates of j-invariants of CM curves in step 2 cost 0{h^). If 
e.g. in ordinary lifting the Kohel’s deterministic algorithm is used to identify the 
isomorphism types of full endomorphism rings of the elliptic curve Eg/ Fq, which 
runs in time for any e > opsi, then step 2 will cost for each 

Fq., in all = 0(ft^'^/^+^'^). On the other hand, the calculations in step 

3 to calculate the coefficients of Hd{x) by the CRT will be dominant, which costs 
0{h7). In conclusion, the whole calculations will be in complexity of 0{h7). 
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Appendix: Design of Secure Elliptic Cryptosystems with CM Curves 

Once we have a CM elliptic curve over a number field, we can use it to design 
elliptic curve over finite fields using the fast algorithms of reduced quadratic 
forms(see appendix) or Cornnachia’s algorithm ^ El E]- Bellow, we show an 
algorithm using reduced quadratic forms. 

Algorithm 4 

Input E/F: A CM elliptic curve; d: the discriminant of its endomorphism ring. 
Output q such that E/Fq is an almost prime curve. 

Step 1 Choose q = (If p = 2 assume d=l (mod 8)); 

Step 2 Find an mp such that TOq = d (mod 4q); 

Step 3 Let n' = Aq,m' = 2mo,l' = (toq — d)/4g. If the reduced binary form of 
g{x', y') = n'x^ + m'x'y' + I'y'"^ is not f{x, y) = x"^ — 4dj/^, go to step 2; 
Step 4 Calculate the modular transform A from g{x',y') to f{x,y) such that 



X 


= A 


'x'' 


, A = 


ail oi2 


y. 




[y \ 




021 0,22 _ 



Step 5 Let t = an, check if ^E{Fq) = q + 1 — t contains a large prime factor, 
or almost prime. If not, go to step 2 to find a new toq or go to step I. 
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Abstract. The discrete logarithm problem forms the basis of numerous 
cryptographic systems. The most effective attack on the discrete logarithm 
problem in the multiplicative group of a finite field is via the index calculus, 
but no such method is known for elliptic curve discrete logarithms. Indeed, 
Miller [23] has given a brief heuristic argument as to why no such method 
can exist. IN this note we give a detailed analysis of the index calculus 
for elliptic curve discrete logarithms, amplifying and extending miller’s 
remarks. Our conclusions fully support his contention that the natural 
generalization of the index calculus to the elliptic curve discrete logarithm 
problem yields an algorithm with is less efficient than a brute-force search 
algorithm. 



0. Introduction 

The discrete logarithm problem for the multiplicative group of a finite field 
can be solved in subexponential time using the Index Calculus method, which 
appears to have been first discovered by Kraitchik [14, 15] in the 1920’s and 
subsequently rediscovered and extended by many mathematicians. (See, for 
example, [1] and [43], and for a nice summary of the current state-of-the-art, 
see [29].) For this reason, it was proposed independently by Miller [23] and 
Koblitz [12] that for cryptographic purposes, one should replace by the group 
of rational points if(Fq) on an elliptic curve, thus leading to the Elliptic Curve 
Discrete Logarithm Problem, which we abbreviate as the ECDL problem. Indeed, 
Victor Miller gives in his article [23, page 423] two reasons why “it is extremely 
unlikely that an ‘index calculus’ attack on elliptic curves will ever be able to 
work.” Miller’s reasons may be briefly summarized as follows: 

(1) It is difficult to find elliptic curves S/Q with a large number of small 
rational points. This observation may be split into two pieces. 

(a) It is difficult to find elliptic curves S/Q with high rank. 

(b) It is difficult to find elliptic curves S/Q generated by points of small 
height. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 110-125, 1998. 
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(2) Given an elliptic curve E /Q.^ a large prime p, and a point S G in the 

image of the reduction map f(Q) ^ it is difficult to lift S' to a 

point of S(Q). 

Miller [23] devotes three paragraphs giving some rough heuristic reasons to 
justify these assertions. This lack of an index calculus for the ECDL problem is 
often cited as a reason for the high security of modern cryptosystems based on 
ECDL’s, as for example in the following excerpt [6]. 

Most significantly, no index-calculus-type algorithms are known for the 
ECDL problem as for the DLP (discrete logarithm problem). For this 
reason, the ECDL problem is believed to be much harder than either the 
IFP (integer factorization problem) or the DLP in that no subexponential- 
time general-purpose algorithm is known. 

In view of the importance of the ECDL problem in modern cryptography, it 
seems worthwhile making a more detailed and in-depth analysis of the possibility 
of an index calculus for the ECDL problem. That is the purpose of this paper. 
We will explain how, using a method of Mestre, it is possible to lift an elliptic 
curve E modulo p to an elliptic curve £ over Q of moderately high rank possessing 
generators of moderately low height. We will further give both numerical and 
theoretical evidence which suggests that if p is large, then it will never be possible 
to use the index calculus on such a curve £ to solve the discrete logarithm 
problem in E(¥p). The fundamental reason, already alluded to in Miller’s paper, 
but which we will make much more precise, is that the generators P\, . . . , on 
a lifted curve £ /Q of rank r will necessarily have (logarithmic) height at least 

h{Pi) > A + Blog(p) + Crlog(r) 

for certain positive constants A, B, C . By way of contrast, the generators (factor 
basis) for the multiplicative group consists of the first r primes pi,p 2 ,-- - ,Pr 
whose (logarithmic) heights 

h{pn) = log(p„) < log(pr) < C'log(r) 

are exponentially smaller (as a function of r) than in the elliptic curve situation. 

In summary, our theoretical and numerical work fully supports Miller’s con- 
clusion that the natural generalization of the index calculus to the elliptic curve 
discrete logarithm problem yields an algorithm which is less efficient than a 
brute- force search algorithm. 

The detailed contents of this paper are as follows: 

Section 1. A brief description of the discrete logarithm problem and the index 
calculus for the multiplicative group. 

Section 2. A discussion of the discrete logarithm problem for elliptic curves and 
a more detailed description of Miller’s obstructions. 

Section 3. A theoretical discussion of elliptic curves of high rank, the size of 
their generators, and the number of points of bounded height. 

Section 4. Mestre’s method for constructing curves of moderately high rank with 
generating points of moderately low height, in theory and in practice. 
Section 5. The problem of lifing curves and points modulo p to points in £i(Q). 
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1. The Index Calculus for the Multiplicative Group 

In this section we briefly review the index calculus method for solving the discrete 
logarithm problem in the multiplicative group of a finite held Fp , where p is 
a fixed large prime. The discrete logarithm problem (DLP) asks: 



Given two elements a, j3 G 
And k such that = (3. 



(DLP) 



Assuming it exists, the value of k satisfying = (3 is denoted by 



k = log^{(3). 



The first step in the index calculus is to choose what is known as a factor 
basis consisting of the first r primes, 

= {2,3,5,7,11,... ,pr}, 

where we will choose r later. We write (iFr) for the semi-group generated by 
that is, {!Fr) consists of all integers whose prime divisors are all less than or equal 
to Pr- Numbers in (iFr) are usually called Pr-smooth, and it is vitally important 
to have an accurate count of how many smooth numbers there are, so we let 

N{Tr,B) = #{a G (JG-) : 1 < a < B}. 



(This slightly non-classical notation will be useful for comparison with the elliptic 
curve situation. In the more usual notation, N{iFr,B) equals 'i'{B,pr).) 

If B is large in comparison to r, then it is quite easy to estimate the size 
of N{Tr,B) as the volume of an r-dimensional simplex. Thus 



N{Br,B) 



ff 1 (ci ) • ■ • ) Cr) 



ei, 

ei logpi -k ■ 



• , Cr > 0 

• tr iogPr < logi? 



1 {^og BY 
r'- Wi^ogpi' 



Then using Stirlings’ formula and the prime number theorem (in the form pi ~ 
ilogz) yields 



N{Br,B) 



1 / elogB \ 
V27rr V ^ log r / 



for B r. 



( 1 ) 



We have derived this formula for N{Tr, B) not because it is useful for the index 
calculus, it isn’t, but for later comparison with the elliptic case. 

The index calculus begins by computing the powers a, . . . and lifting 

each of these values from Fp to Z , say 



= Qj (mod p) with 1 < Oj < p. 
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Each Qj is then checked against and if it is in this semi-group, we record 
the value 

= nr*-'". (2) 

i=l 

Notice that since aj = in and since has order p — I, each relation (2) 
gives a linear equation 



^ = ei(j) log„(pi) (mod p - 1). (3) 

i=l 

We continue computing the powers of a until we obtain r independent linear 
relations (3), at which point the equations can be solved for the r unknowns 
loga(pi), • ■ • jlog^(pr)- [Remark. We will neglect the fact that, in practice, the 
value of r will generally be sufficiently large so as to make it extremely difficult 
to solve the resulting system of r linear equations, even though they tend to be 
extremely sparse.] 

The final step is to lift the quantities f3, a(D, ... to Z, say 
f3 = bj (mod p) with 1 < < p, 

until we find a single value of j for which bj lies in (IF^), say 



<>..=n 



Pi 



Since bj = in F^, this yields 



j + log„ iP) = XI (P*) (mod p - 1) , 

i=l 

and since we already know the values of the logo,(pi)’s, we recover the desired 
value of log„(/3). 

The key question in implementing the index calculus method is the choice of 
the number r of primes in the factor base. If r is too small, then it is very unlikely 
that the aj’s will lie in while if r is too large, it will be computationally 

difficult to determine if a given Uj lies in (IF^). Notice that the latter problem 
is that of finding the complete factorization of a number a < p by primes at 
most Pr, which shows how the factorization problem is closely tied into the 
index calculus. 

The probability that a given 1 < a < p lies in (IF^) is approximately equal 
to N{!Fr,p)/{p — !)• Using the approximation (1) and taking B p, we find 
that this quantity is maximized for r ^<C log p/ log log p, which unfortunately 
leads to a probability which is <C p“^ • far too small to be useful. 

However, it turns out that (1) is not a good approximation in our situation. 




114 



J.H. Silverman and J. Suzuki 



because for moderately large values of r, most of the numbers in fV(J>,p) are 
of the form • • •p®’’ with many of the eds equal to 0, and the rest quite 

small. In geometric terms, most of the numbers in N(J^r,p) represent points 
which lie on the boundary of the simplex whose volume is being approximated 
in the formula (1). 

We will not give a detailed analysis here, since the final counting result, 
although by no means easy, is well-known and amply described in many sources. 
For example, it is proven in [5] that 

~ where L{x) = exp(i/loga:logloga;). 

(Here, as usual, 'I'(a;,y) is the number of positive integers less than x whose 
prime factors are all at most y.) Using a weak form of this result, which suffices 
for comparison with the elliptic curve case, we see that 

If r « then N{J^r,p) > p - 

Thus a sub-exponential value for r (i.e., r is smaller than any power of p) suffices 
to give a sub-exponential probability of hitting an element in The reason 

that N{Tr,p) becomes this large is because the primes pi , p 2 , • ■ • , Pr in the rank r 
factor base are small, satisfying 

logpi « logf < logr. (4) 

We want to emphasize this point because it is fundamentally different from what 
occurs for elliptic curves, where the elements of a rank r factor base have size 
on the order of rlogr. 

Remark.. There are various improvements that are typically used to supple- 
ment the index calculus, including storing large factors of the Oj’s not factorable 
in the factor base so as to take advantage of overlaps (birthday phenomenon) 
and using fancier factorization methods (e.g., based on the number field sieve). 
At present, we don’t see analogous methods for elliptic curves, but even if they 
exist, they are unlikely to affect our overall analysis, since even saving a square 
root does not substantially change an exponential running time. 

2. The Discrete Logarithm Problem for Elliptic Curves 

The discrete logrithm problem for an elliptic curve E over a finite field Fp is 
virtually identical to the analogous problem for the multiplicative group. We 
change notation slightly from the multiplicative case to reflect the fact that the 
addition law on an elliptic curve is always written additively. We thus assume 
that our elliptic curve E is given by a Weierstrass equation 

E : + a\xy + a^x = a;^ -I- a 2 X^ + a^x + ag 

whose coefficients lie in the finite field Fp . The discrete logarithm problem for 
elliptic curves (ECDLP) asks: 



Given two points S,T G E(Fp), 
find m such that S = mT. 



(ECDLP) 
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Note that group operation is addition in -E(Fp), and we are being asked to 
compute the integer m = log 2 .(S'). We also let 

N = Np = #E(¥p) 

denote the order of the finite group if(Fp). There is a polynomial-time algo- 
rithm for computing N due to Schoof [30], with improvements by Elkies [8] and 
Atkins [3], which makes it quite practical to compute N for moderate values 
of p, say for p < and certainly possible for even larger values. 

There are various special cases for which the ECDL problem can be solved, 
including the following: 

(1) If fV = p+ 1, the so-called “supersingular” case, then the ECDL problem 
can be reduced to the discrete logarithm problem on the multiplicative 
group. More generally, if N divides — 1, then the ECDL problem can 
be reduced to the discrete logarithm problem on the multiplicative group 
of the finite field with p^ elements. Of course, this is only practical if k 
is not too large. For details, see [20] and [9]. 

(2) If = p, the so-called “anomalous” case, then the ECDL problem can 
be reduced to simple addition in Fp , essentially by lifting the curve mod- 
ulo p^. See [31], [39], and [28]. 

(3) If N is divisible by only small primes, then one can use the method 

of Pohlig and Heilman [25] and Pollard [26] which solves the discrete 
logarithm problem in time where p' is the largest prime divisor 

of N. 

(4) Although not directly relevant, we also mention that the discrete loga- 
rithm problem can be solved on the Jacobian J of a curve of genus g pro- 
vided that g p [2]. The reason is that in this situation, the group J(Fp) 
is highly non-cyclic. For cryptographic applications of the elliptic case, 
one normally chooses E so that E(Fp) is cyclic of prime order. 

Assuming that none of these methods is applicable, it is tempting to try to 
adapt the index calculus method described in Section 1 directly to the elliptic 
curve case. Here’s a brief summary of how such an index calculus would work. 

(1) Choose an elliptic curve S/Q which reduces to E/¥p and which has a rea- 
sonably large number of independent rational points, say Pi,P 2 , ■ . . ,Pr- 

(2) Compute the multiples S,2S,3S, . . . in A(Fp), and for each j, try to 
lift jS to a, rational point Sj € f(Q). That is, Sj = jS (mod p). If this 
is successful, then write Sj as a linear combination 

r 

(3) After r of the jS^s have been lifted, we have r linear equations 

r 

J = '^'r>-3^0gs{Pj) 

2=1 
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which can be solved for the individual log 5 (Pj)’s. 

(4) Next try to lift T,T + S,T + 2S, T + 3S, ... to f (Q), say that T + jS 
lifts to Tj. Write 

r 

= inf(Q). 

Then 

r 

logs(T) +j = Y^ rrij logs(Pj), 

i=l 

and since we know the values of the log 5 (Pj)’s, we recover the desired 
value of logg(r). 

There are a number of possible difficulties with putting the above outline into 
practice. Victor Miller [23, page 423] has given two reasons why “it is extremely 
unlikely that an ‘index calculus’ attack on elliptic curves will ever be able to 
work.” His reasons can be briefly summarized as follows (where all quotes are 
from [23]): 

Rank/Height Obstruction. “Unless the rank of the curve can be made very 
large, and the regulator made fairly small, the probability of a point of P(Fp) 
lifting to a point on E{Q) whose height is bounded by something reasonable (say 
a polynomial in logp) is vanishingly small.” 

Lifting Obstruction. “Even if one could somehow get around the barrier men- 
tioned above, there is still the problem of actually lifting a point.” One can try 
to lift first to a point € E{Z /p^Z), but ’’there are many possible choices 

for (xi,yi). ... Thus, unless there is a new idea, it would seem that this is 
another barrier, difficult to surmount.” 

In the remainder of this paper, we are going to analyze in more detail the 
elliptic index calculus and the obstructions noted by Miller. We begin in the 
next section with a discussion of the heights of points on elliptic curves. 

3. Counting Points on Elliptic Curves Over Q 

For this section we briefly forget about elliptic curves over finite fields and discuss 
the distribution (theoretical, practical, and conjectural) of the rational points 
on elliptic curves defined over Q. For basic facts about elliptic curves, see for 
example [18, 33, 34]. 

Let £/Q. be an elliptic curve given by a minimal Weierstrass equation 

£ : y^ + a\xy + a^x = x^ + U 2 X^ + 04 a; -I- 05 

and discriminant A (5). Recall that the height of a rational number r/s G Q is 
defined to be 



H{r/s) = max{|r|, |s|}. 
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The canonical height of a point P G £(Q) is then defined to be 
h(P) = i lim ^ log iL(a;(nP)), 

Z n—^oo n 

and the associated inner product for P,Q G i£(Q) is 

{P,Q) = ^{h{P + Q)-h{P)-h{Q)). 

This inner product is positive definite on £(Q) 0 IR, and the elliptic regulator of 
a set of points Pi, . . . , Pr G S{Q) is defined to be 

Reg(£:) = det{{Pi,Pj))^^^.^^. 

(Generally, Pi , ... ,Pr will be set of generators for £(Q)/(tors), or in numerical 
examples, an explicitly given set of points. If the set of points is not clear from 
the context, we will write Reg(£, Pi, .. . ,Pr)-) 

We are interested in counting the number of points in i?(Q) of bounded height, 
so we set 



N{S,B) = #{P G £(Q) : H{x{P)) < B). 

T(£:) = #£:(Q)tors. 

r = r(£) = rankf(Q). 

ar = 7r’’/^/((r/2)r(r/2)) = Volume of unit ball in K'’. 



Using Sterlings’ formula, we have the useful approximation 

1 /27reV/^ 

The ordinary and canonical heights are related by 

h{P)^^logH{x{P)) + Os{l). 



( 5 ) 

(6) 



We will say more later about the dependence of the big-O constant on S, but 
for now we will ignore its effect (which is negligble in the numerical examples 
presented below). Then we can estimate N{S,B) by simply counting lattice 
points in K’’ relative to the canonical height inner product. Thus 



N{£,B) = #{P G £(Q) : H{x{P)) < B} 

« T{£)#{P G £{Q) : h{P) < ilogR} from (6), 



T{£) 



T{£) 



i/Rei(^ 



(ilogR) 



r/2 



Tie log B 
irr \r ■ Reg(£)^/’^ 



72 



from (5). 
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We mention that T{£) < 16 by Mazur’s Theorem [33, VIII. 7. 5], so the effect from 
torsion is negligible. In practice, our curves will have trivial torsion, because it 
has been observed experimentally that the presence of rational torsion makes it 
more difficult to obtain high rank. 

The above formula says that we shouldn’t expect to get very many points 
until logi? and Reg(£)^/’’ are of a comparable size, so we need to study the 
magnitude of the regulator. 

A basic result from the geometry of numbers says that (see [17, chapter 5, 
corollary 7.8]) 

Reg(£:)i/"> (^ ) min MP). (7) 

\ ^ J p&sm 

h{P)^0 

Further, there is a conjecture of Lang [18, page 92] which says that for non- 
torsion points P G i£(Q), 

h{P) > clog|A(f)l, 

where the constant c is independent of £. This conjecture has been largely 
proven [11, 35], albeit with extremely small constants c. Thus, as Miller already 
observes in [23], it is not possible to get N{£, B) large unless one chooses 

logP > rlog |A]. 

But if £ is the lift of an elliptic curve over Fp, then we’ll certainly have log |Aj ^ 
logp. Then there’s the further difficulty that Mestre proves (subject to various 
“standard” conjectures) 

log I A] > rlogr, 

so if we make r large, then the value of A (and hence B) will be enormous. 

The next step is to see how this theoretical analysis, which is essentially given 
by Miller [23], compares to actual practice. 

4. High Rank Curves With Small Height Points 

It is difficult to find elliptic curves over Q with high rank, as witnessed by the 
fact that no curves of rank 12 were known before 1982 [22], and even today the 
highest rank known is 23 [19]. 

Currently the most successful method for finding curves of high rank is to 
start on a one or two-parameter family such that every member of the family 
already contains many independent points, and then specialize to find certain 
members which possess even higher rank. However, this method is not suitable 
for our purposes, because we are starting with a curve over Fp that we want 
to lift, so we need more freedom than is provided by such a family. Thus we 
are going to consider an earlier method of Mestre which can be applied in great 
generality. Mestre’s idea is simple to state, although the justification for why it 
should yield high rank curves depends on much deep mathematics and several 
unproven conjectures: 
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Mestre’s Construction 

In order to produce a curve £/Q of high rank, use congruence con- 
ditions to choose the coefficients of S so that is maximized 

for all (small) primes ^ = 2, 3, 5, . . . , fo, and then so that the dis- 
criminant |A(f)| is more-or-less minimized subject to the congruence 
conditions. Then search for integer points lying close to the right- 
most real two-torsion point (ei,0), say searching for points {x,y) 
with e\ < X < e\ + 5000. We will call a curve chosen according to 
these criteria a Mestre curve. The precise algorithm for construct- 
ing Mestre curves is described in [22], and some justification for the 
algorithm is given in [21]. 

In his original paper [22], Mestre lists the smallest curves of ranks 4 to 12 
which he found using the above method. Two of the listings appear to have 
typographical errors, and for the remaining curves we gather some information 
in Table 1, where Pi, .. . ,Pr denotes a basis for E{Q). 



Table 1. Data for Mestre’s moderate rank curves 





(Regf)!/’' 


. KPi) 


kp^) 

w-» 


logjA] 


T 


l^log|A| 


i j^log|A| 


lllcL-A. T 

i j^log|A| 


rlogr 


4 


0.612 


0.772 


0.844 


2.382 


5 


0.627 


0.840 


0.941 


2.362 


6 


0.600 


0.937 


0.994 


2.295 


7 


0.696 


1.032 


1.063 


2.116 


8 


0.776 


1.103 


1.128 


2.111 


9 


0.543 


1.051 


1.073 


2.311 


10 


0.756 


1.091 


1.106 


2.271 


12 


0.674 


0.916 


0.923 


2.273 


14 


0.585 


1.018 


1.025 


2.341 



A first observation (from Mestre’s paper) is that the curves constructed by his 
method generally have square-free, or almost square-free, discriminant. This is 
very reasonable, because Mestre’s bound for the rank alluded to above actually 
has the form 

rlogr <C log(Cond£), 

where the conductor Condf is (essentially) the square-free part of A. Thus 
having a large square dividing the discriminant will make it more difficult for 
the curve to have large rank. 

A second observation, this time from Table 1, is that the independent points 
constructed by Mestre’s method seem to satisfy 



1 
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We can justify this observation as follows. Mestre’s method yields points P = 
(x,y) G i£(Q) which have integer coordinates x,y € h and which are fairly close 
to the 2-torsion point T = (ei,0). The local decomposition of the canonical 
height says that 

h{P) = Xo^iP) + J2K(P)- 

p 

(See [34, chapter VI] for the definition and basic properties of the local height 
functions Ap.) Assuming that the discriminant A is (mostly) square-free and 
that the coordinates of P are integers, the p-adic local heights add up to give 
(approximately) log |A|, see [34, VI.4.1]. Further, the fact that P is close to T 
means that Aoo(^’) ~ Aoo(T), which yields 

MP)«Aoo(T) + ^log|A|. 

Finally, the explicit formula [34, VI. 3. 4] for Aoo shows that 

Aoo(T) = log+ \j{£)\+0{l), 

which will tend to be fairly small. (For explicit estimates, see [36, 37].) 

An additional point to make is that the value log ]A| is essentially the small- 
est possible value for h{P) on a Mestre curve, since the fact that the discriminant 
is square-free means that all of the Xp{P)’s satisfy 

Xp{P) > ^ordp(A)logp, 

and if the coordinates of P have denominators and/or P moves further away 
from Cl, then the value of h{P) will tend to increase. It is thus not surprising 
that the points constructed by Mestre’s method tend to be independent, since 
they represent vectors of approximately the same length A in a lattice whose 
smallest non-zero vector also has length L. To see why this is true, consider s 
vectors Vi,V 2 , . . . , G K’’ satisfying [v^ — v^] > L and |vi| = L for all i ^ j. 
Then the balls of radius L around each |vi| are disjoint, and they are contained in 
a ball of radius 2L, so a simple volume counting argument shows that r > log 2 (s) . 
The data in Table 1 indicates that 

minMP)«^log|A(£:)| and ^ log |A(£:)| < Reg(£)i/’' < ^ log |A(£:)|. 

( 8 ) 

A reasonable assumption, based on this data, would be that it is possible to find 
Mestre curves of various ranks with 

Reg(£)i/’'«^log|A(£)|. (9) 

Using this and the other material described above, we obtain the following 
(heuristic) result: 
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Heuristic Bound. Based on the numerical data contained in [21] and the above 
theoretical analysis, it appears to he possible to use Mestre’s method to produce 
elliptic curves S/Q so that the number of rational points 

N{£,B) = #{P G £i(Q) : H{x{P)) < B} 



in i£(Q) grows like 



N{£,B) 



1 / 207relogi? 

Vif •log|A(£:)| j 



(10) 



Further, it is probably not possible to find elliptic curves such that N{£, B) grows 
significantly faster than this rate. 

Remark. . We also observe from Table 1 that the discriminant tends to satisfy 



2rlogr < log |A(£)| < Srlogr, 



but since for the ECDL problem we will need to impose an extra congruence 
condition modulo a “large” prime p, we will not use this condition directly. How- 
ever, it is important to point out that this estimate implies that the generating 
points on a Mestre curve generally satisfy 

Comparing this to the analogous estimate (4) for the multiplicative group, we 
see that the size of the generating elements for a rank r group is exponentially 
worse in the elliptic curve case! 

5. Lifting Mod p Curves to High Rank Curves 

It’s now time to put into practice the theoretical material contained in the pre- 
vious sections. Table 2 lists the results of some experiments we performed using 
Mestre’s method to lift a curve over Fp to a curve of moderate rank. We chose 
to use p = 173 and more-or-less randomly took the curve 

E :y'^ = x^ + 42x + 86 . 

(We did choose E so that ffEfFn^) = 158 is small, which has the effect of 
making Mestre’s method a little less efficient.) Although not strictly necessary, 
the algorithm described in [ 22 ] uses curves of a slightly different form, so we 
changed coordinates to the isomorphic curve 

E : y^ + y = x^ + 42a; -I- 129 



over the field F 173 . We then used Mestre’s method to look for lifts of this curve 
which have the maximum number of points modulo all primes < 23, and among 




122 



J.H. Silverman and J. Suzuki 



these curves looked for independent integral points on the ones having small 
discriminant. The result was that of 269280 curves tested, there were three 
examples of rank 6 and three examples of rank 7. The relevant data for these 
six curves is listed in Table 2. 



Table 2. Lifting From Mod 173 To Moderate Rank 





(RegS)!/’- 


. h{Pi) 


h{Pi) 

w-« 


log|A| 


T 


i^log|A| 


mill 1 

* I2 log 1^1 


llld.2v -1 

* l 2 log|A| 


rlogr 


6 


0.702 


0.849 


0.948 


5.823 


6 


0.722 


0.890 


0.965 


5.859 


6 


0.673 


0.854 


0.942 


6.252 


7 


0.670 


0.908 


0.937 


4.651 


7 


0.686 


0.891 


0.952 


4.712 


7 


0.672 


0.861 


0.971 


4.956 



Comparing Table 2 to Table 1, we see that the relationship between the regu- 
lator, the discriminant, and the minimal and maximal heights of the generators 
are more-or-less the same in both tables. Not surprisingly, what has changed is 
that for a given rank, the discriminant is much larger in Table 2 than it is in 
Table 1. This is very reasonable, since Table 1 imposes no prior restrictions on 
the coefficients of £, while in Table 2 we are forcing the coefficients of S to have 
specific values modulo 173. This means that the discriminant of S should be 
forced upwards by some power of p. 

A reasonable assumption is that log |A| will grow linearly in both logp and 
in rlogr (the latter from Mestre’s results and Table 1), say 

log |A| « Cl logp-l- C 2 rlogr. 

Fitting the data in Table 2 to this formula (note p = 173), we find the best fit is 



log|A| « 11.931ogp -I- 0.26rlogr. 



( 11 ) 



(Note that for our subsequent analysis, it would make little difference if ci were 
to be reduced to, say, 5.) 

Now suppose we want to solve the ECDL problem for a given prime p by 
using Mestre’s method to lift E/Vp to a curve 5/Q of moderately large rank. 
Looking at the Heuristic Bound (10), in order to have a reasonable chance of 
lifting a point of A(Fp) to a point of i£(Q) of height at most B, we need N{£, B) 
fairly close to p, say N{£,B) > pjl}^. Then (10) and (11) give us the lower 
bound 



logB > 



r log(p^^®^r°'^®'’) 



f p^/wf 



2/r 



207re 



210 



(12) 
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The following table gives, for various values of p, the value of r which minimizes 
this lower bound and the corresponding lower bound for B. 



Table 3. Best Lower Bound for B in (12) 



p 


r 


B > 


B > 


220 


15 


272.63 


p3.63 


to 

O 


40 


2398.08 


p9.95 


O 

00 


87 


21823.54 


p22.79 


2120 


134 


24297.13 


p35.81 


2160 


180 


27830.74 


p48.94 



We thus see that for any reasonable size prime p (for cryptographic purposes, 
one would certainly never use a prime smaller than 2®°), the smallest allowable B 
is a substantial power of p. For the sake of argument, we will make the optimistic 
assumption that we can take B = p^^, but as the table makes clear, the true value 
of B is likely to be much larger. We will also suppose, again being optimistic, 
that it is possible to find a suitable lift S/Q whose rank is on the order of 100 
to 200, despite the fact that no curves of rank > 24 are currently known. 

However, even for B = p^^ and a curve S /Q with known generators Pi , . . . ,Pr, 
we are confronted with the second enormous challenge posed in Miller’s paper. 
Namely, how do we lift a given point on E(¥p) to a point on £1(Q), even if we 
know that there is such a lift with height less than p^^l Certainly we don’t 
want to check all suitable linear combinations ’^riiPi, since this is no better 
than a brute-force search through a set with N{S,B) elements, and we’ve cho- 
sen B so that N{S, B) p. On the other hand, we could try to lift the given 
point p-adically, that is, first lift mod p^, then mod p^, etc. If we could do this 
correctly, then when we lift modulo p^^, we will have found the desired point 
in £(Q), since we know that the a;-coordinate of the desired point has height less 
than Unfortunately, as Miller points out, at each step in this p-adic lifting 
process, we are faced with p possible lifts for each lift in the previous step. Since 
there is no (known) method for deciding a priori which of the lifts will lead to 
an actual point in i?(Q), this method leads to a tree with nodes to check, 
clearly not a feasible task. 

Of course, if the lifting problem could be efficiently solved for (say) p « 2^®° 
and B = « 2^®™°, either by p-adic or other methods, then it might be 

feasible to solve ” real-world” ECDL problems using the index calculus. However, 
the numbers involved are so staggeringly large that it seems very unlikely that 
this lifting problem has a practical solution. 

The key point here is that it is necessary to choose P to be a substantial 
power of p in order to have enough points of height < B to cover most of E (Fp ) , 
and for such a large B, there is no method other than a brute force search to find 
the desired lift of a given point in P(Fp). If it had been possible to cover P(Fp) 
with points of i£(Q) having height at most (say) y/p, which is essentially what 
happens for the discrete logarithm problem in the multiplicative group, or even 
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height at most p, then quite possibly there is a good (i.e., efficient) way of lifting 
points. But the fact that the generators for £(Q) have height rlogr, as 
compared with height ;g><C log r in the multiplicative case, means that we cannot 
hope to cover if(Fp) with points of f(Q) having such small height. This, then, 
explains why it is very unlikely that there is an index calculus for elliptic curve 
discrete logarithms which is directly analogous to the classical index calculus for 
the multiplicative group. 
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Abstract. Rijmen and Preneel recently proposed for the first time a 
family of trapdoor 

block ciphers [HI- In this family of ciphers, a trapdoor 

is hidden in S-boxes and is claimed to be undetectable in [^ for properly 

chosen parameters. Given the trapdoor, 

the secret key (used for encryption and decryption) can be recovered 
easily by applying Matsui’s linear cryptanalysis |H|. 

In this paper, we break this family of trapdoor block ciphers by develo- 
ping an attack on the S-boxes. We show how to find the trapdoor in the 
S-boxes and demonstrate that it is impossible to adjust the parameters 
of the S-boxes such that detecting the trapdoor is difficult meanwhile 
finding the secret key by trapdoor information is easy. 



1 Introduction 

In cryptography, design of secure trapdoor one-way functions has long been a 
challenging problem. Many previous proposals have been broken and the exi- 
sting ’’secure” ones are mostly based on the few conjectures of hard problems in 
number theory. 

Recently, Rijmen and Preneel proposed a family of trapdoor block ciphers 
0 which we will call RP trapdoor ciphers. In such ciphers, a trapdoor is built 
into S-boxes. Knowledge of the trapdoor allows one to determine the correlation 
between output bits of the cipher’s round function. This correlation is in turn 
used to find the secret key by performing Matsui’s linear cryptanalysis on a 
small amount of known plaintexts |H|. In |B|, it was claimed that the trapdoor 
with properly chosen parameters is undetectable and RP trapdoor ciphers may 
be used for public key encryption. 

In this paper, we break RP trapdoor block ciphers by developing an attack 
on the trapdoor S-boxes. We first demonstrate that the trapdoor can be found 
from the S-boxes. We then show that RP trapdoor block ciphers can not be 
made secure by adjusting system parameters, since it is not possible for such 
ciphers to meet the following two contradicting requirements simultaneously: 1) 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 126-^^21 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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be resistance to our attack and, 2 ) be computationally efficient in finding the 
secret key using linear cryptanalysis once the trapdoor is known. 

This paper is organized as follows. The trapdoor S-boxes and RP trapdoor 
ciphers are briefly reviewed in Section 2. In Section 3, we present our attack to 
RP trapdoor ciphers (more precisely, to the trapdoor S-boxes). In Section 4, we 
show that it is not possible to construct secure RP trapdoor ciphers by adjusting 
system parameters. We conclude the paper in Section 5. 



2 RP Trapdoor Ciphers 

RP trapdoor ciphers make use of the ’’type II” linear relations as defined in [7|: 
correlations that exist between output bits of a cipher’s round function/ S-boxes. 
Knowledge of the trapdoor reveals the correlations and allows linear cryptanal- 
ysis being carried out to determine the secret key from some known plaintexts. 



2.1 Trapdoor m X n S-Boxes 

The trapdoor in RP trapdoor ciphers is built into S-boxes. An m x n S-box has 
m-dimensional and n-dimensional Boolean vectors as its inputs and outputs, 
respectively. It can be represented by 2"* n-dimensional Boolean vectors, i.e., 
S = {riQ, ui, • • • , U 2 ">-i}. For input x £ {0, 1, • • • , 2"* — 1}, the output of the 
S-box is defined as S{x) = Vx where x can be treated as an m-dimensional 
vector. In the following, we denote the jth bit of Vi as Vi[j]. That is, Vi =< 
Vi[l],Vi[2], - ■ ■ ,Vi[n] >. 

In a RP trapdoor cipher, the trapdoor mxn S-box is constructed as follows. 
First, choose a non-zero n-dimensional Boolean vector /3 =< /3[1], /3[2], . . . , j3[n] > 
and let (3[q\ = 1. Then randomly choose the values of Vi[j] for f = 0, 1, ..., 2™ — 1 
and j = 1, 1, 9 -I- 1, ..., n. Finally, set the values of Vi[q], f = 0, 1, ..., 2™ — 1, 

such that 

© • • • © !3[q]v^[q] © • • • © I3[n]vi[n] =Vi- (3 = 0 ( 1 ) 

holds with probability pt (which has a value very close to 1). Equation (1) is 
equivalent to a correlation 

ct = ^px — 1 

between the constant zero function and (3 ■ S{x). The trapdoor is the Boolean 
vector (3. It was claimed in 0 that finding (3 from published S-boxes is difficult 
for suitable parameters, say, m = 10,n = 80 and px = 3 — 2“^. RP trapdoor 
ciphers are designed on this supposition. 



2.2 Trapdoor Ciphers 

RP trapdoor ciphers are based on the Feistel structure In a Feistel block 
cipher with 2 n-bit block size and r rounds, plaintext and ciphertext consist of 
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two n-bit halves denoted as Lq j Ro and Lr , Rr respectively. Each round operates 
as follows: 



R, = ® F{Ki ® Ri_i) 

Li — Ri—1 



for i = 1, 2 , r 



where Ki is the *th round subkey and F is the round function. Note that after 
the last round, the swapping of the halves is undone to make encryption and 
decryption similar. 

In |2j, variants on both CAST |Sj and LOKI91 0 were studied. In this paper, 
we only consider trapdoor CAST ciphers since all the discussions here can be 
extended to trapdoor LOKI91 ciphers directly. 

The CAST family of ciphers are 64-bit Feistel ciphers. Its round function F is 
based on four 8 x 32 S-boxes (i.e., for m = 8,n = 32), which have components 
that are either randomly chosen or are bent functions fp. Mathematically, the 
round function is given by 



F{x) = S'i(xi) © S 2 {X 2 ) © Ssixs) © S4{X4) 

where x, the 32-bit input, is the concatenation of 4 bytes x = a;i||a:2||a;3||a:4 and 
where ^i, ..., S'4 are four 8 x 32 S-boxes. 

In a trapdoor CAST cipher, the four S-boxes use the same trapdoor f3 but 
possibly with different values of pt, denoted as p^\ ...,p^^\ The following rela- 
tion holds 



f3 ■ F{x) = f3 ■ Si{xi) © P ■ S 2 {X 2 ) © p ■ Ssixs) © P ■ S4{x4) 

Hence the round function correlates with the constant zero function with a cor- 
relation equal to 

CF = C^T 

It was stated in 0 that CAST should be extended in a natural way to a 
128-bit block cipher by using 8 x 64 S-boxes. This, it claimed, will make the 
trapdoor undetectable. Unfortunately, this claim is false as we will show in the 
next section. 



3 Attack on RP Trapdoor Ciphers 

In this section, we show that the trapdoor in a RP trapdoor cipher can be found 
easily and directly from the S-boxes. 

RP trapdoor ciphers as described in the last section has I = ^ S-boxes, each 
consisting of 2"* n-dimensional Boolean vectors. By way of their construction as 
presented in Section 2.1, we know that vectors in S-boxes are randomly chosen; 
therefore, the total number of distinguishing vectors in the I S-boxes, denoted 
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by N, should be very close to 12’”. We also know each S-box is associated with 
a probability . Let 



Pt = 




I 



denote the average of these probabilities. 

Let all the N distinguishing vectors in the I S-boxes be denoted as {ui, U 2 , • ‘ ‘ j 
vn}- From Section 2.1 we know that the trapdoor [3 satisfies 



Uj • /3 = 0 



for i = 1,2, N with probability pt- Hence, the problem of finding the trapdoor 
is to find a (3 such that 



/ Ui[l] Vi[2] ■ 


• vi[n] \ 






/ «[1] \ 


U2[l] V2[2\ ■ 


• V2[n] 


pm 


= 


a[2] 


yWAf[l] Wat [2] • 


■ Vn [n] J 


\/3[n]y 




[a[N]J 



for any Boolean vector a =< a[l], a\2], ■ ■ ■ , o;[fV] > 
of Hamming weight approximately equal to N(1 — px) 



The following algorithm is used to determine the trapdoor /3 directly from the I 
S-boxes. 

Algorithm 1. 



Step 1. Choose n vectors, denoted as Uij , , • • • , randomly from v\,V 2 , - ■ ■ , 

VN- 

Step 2. Solve the n equations for xp: 

Vzk ■Xi3 = 0 

for fc = 1, 2, ..., n 

Step 3. If non-zero solutions do not exist, go to Step 1. If solutions, say 
Pi, (32, f3t, are found, check whether they satisfy (2). If some Pj does sa- 
tisfy (2), then it is the trapdoor P we are looking for; otherwise, go to Step 

1 . 



Observations 

1. If we happen to choose Vi^,Vi^, ■ ■ ■ , Vi^ in Step I such that Vi,. ■ P = 0 has 
non-zero solutions for fc = 1,2, ...,n, then P must be among these solutions. 
By checking them one by one against (2), we can find this p. 

2. If we can find another /3'(yf P) also satisfying (2), this P' can also be used 
as trapdoor information in linear attack for finding the secret key. 

3. Since Vi ■ P = 0 with probability px, such “lucky choice” happens with 

probability about (pt)”- Hence, it is guaranteed to find a trapdoor with this 
probability. (The probability in fact should be This number is 

very close to (pt)” when N is much larger than n and px is close to 1. Here 

denotes the number of ways of choosing n objects from N objects.) 
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4. The number of solutions t won’t be very large. This is because the vectors 
of the S-boxes are randomly chosen except for one bit (at bit position q), 
therefore, the rank of the matrix in (2) is close to n with large probability. 

Now let’s look at a trapdoor CAST cipher with 128-bit block size (n = 64) 
and pt = 1 — (this value of pr was given in [5| as an example to illustrate 
the strength of the RP trapdoor cipher). The value of (pt)” is about 0.1311. By 
repeating Steps 1 and 2 of the algorithm 32 times, we expect to get the value of 
j3 with probability 98.89%. This example shows clearly that RP trapdoor block 
ciphers are very vulnerable under our attack. 



4 The Impossibility of Designing Secnre RP Trapdoor 
Ciphers 

In Section 3, we developed an attack to RP trapdoor ciphers. We demonstrated 
that the trapdoor can be determined easily from S-boxes. In this section, we 
show that it is impossible to design secure practical RP trapdoor ciphers. 

We observe that there is a tradeoff between resisting our attack (i.e.. Algo- 
rithm 1) and the effort required to find the secret key from trapdoor using linear 
cryptanalysis. This tradeoff can be adjusted by selecting system parameters r 
(number of rounds), m,n, and pr- The smaller (p-r — 0.5) is, the more difficult 
it is to succeed in Algorithm 1, but at the same time, the more difficult it is 
to find the secret key from the given trapdoor using linear cryptanalysis. Also, 
large values of m and n increases the computational complexity of Algorithm 
1 , as well as that of S-boxes. To simplify our notations and without loss of 
generability, in the following we assume that p^^ = p^^ = • • • = p^^. 

Two basic requirements must be met in the design of a practical secure block 
cipher: 

Requirement 1. The block cipher should be secure in the sense that it resists 
all the known attacks. 

Requirement 2. The block cipher should be practical in the sense that the 
program size should not be too large. 

To design a practical secure trapdoor cipher, two more requirements must 
be met: 

Requirement 3. The trapdoor should is secure in the sense that it is hard to 
find the trapdoor even if its general form is known. 

Requirement 4. The trapdoor should be practical in the sense that the secret 
key can be found easily once the trapdoor is given. 

We now show that it is not possible to design a RP trapdoor cipher to satisfy 
the above four requirements simultaneously. We do this by showing that if a 
RP trapdoor cipher meets the first three requirements, then it can not meet the 
fourth requirement. 
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To satisfy the first requirement, the round number can not be too small. 
Thus, we expect that 



r > 8 (3) 

To satisfy the second requirement, the total size of S-boxes is expected to be 
less than 128 Megabytes (i.e., bits). It is the same as to say that 

71 

-(n2™) < 230 (4) 

m 

To satisfy the third requirement, we expect the following relation holds: 

{ptT < 2-®' (5) 

For a RP trapdoor cipher that satisfies conditions (4), (5) and (6) simul- 
taneously, we evaluate the amount of known plaintexts required to carry out 
a successful linear cryptanalysis according to Matsui’s algorithm 2 in |SI. The 
minimum numbers of plaintexts with respect to different value of m are listed 
in Table 1. 



m 


Number of plaintexts required 


m 


Number of plaintexts required 


6 


2ivb 


15 


274 


7 


2^30 


16 


2^3 


8 


2^32 


17 




9 


2™ 


18 


2®^ 


10 


2™’? 


19 




11 


2^T7 


20 




12 


2^ro 


21 


2^b 


13 




22 


2^^5 


14 


2^3 


23 


not exist since pr < 0.5 



Table 1. The number of known plaintexts required to carry out the linear cryptanalysis 
for a RP trapdoor cipher satisfying the first three requirements. 



From table 1, we see that too many plaintexts are required to carried out the 
linear cryptanalysis based on knowledge of the trapdoor in order to discover the 
secret key. Although there may be some other methods to reduce the amount 
of known plaintexts (e.g., reducing the round number or increasing the size of 
S-boxes to a certain value), we believe that the number of known plaintexts 
required to carry out a successful linear cryptanalysis is still very large. Thus, 
we are forced to conclude that it is impossible to design practical secure RP 
trapdoor block ciphers. 



132 



H. Wu et al. 



5 Conclusions 

Security of RP trapdoor block ciphers lies on the undetectability of a trapdoor 
built into S-boxes. It was claimed in [Sj that it is hard to obtain the trapdoor 
from S-boxes and therefore RP trapdoor ciphers can be used for public key 
encryption. In this paper, we showed how to break such ciphers by finding the 
trapdoor directly from S-boxes. We demonstrated our attack to RP trapdoor 
ciphers based on ’’type II” linear relations. 

In addition to trapdoors based on ’’type II” linear relations, trapdoors that 
make use of ’’type I” linear relations were also proposed in |H|. ’’Type I” linear 
relations are defined in as the correlations between input and output bits of 
the round function. Unfortunately, this latter type of trapdoors is also vulnerable 
to our attack. 

Other than hiding linear relations, another method proposed in |H| is to hide 
differentials into block ciphers in order to make them vulnerable to differen- 
tial cryptanalysis |2|. However, construction of this kind of trapdoors was not 
given in 0 and it seems that hiding differentials is more difficult than hiding 
linear relations. So far, trapdoors based on hiding differentials remains an open 
problem. 
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Abstract. Knudsen and Berson have applied truncated differential attack on 
5 round SAFER K-64 successfully. However, their attack is not efficient 
when applied on 5 round SAFER SK-64 (with the modified key schedule) 
and can not be applied on 6 round SAFER. 

In this paper, we improve the truncated differential attack on SAFER by 
using better truncated differential and additional filtering method. Our 
attack on 5 round SAFER (both SAFER K-64 and SAFER SK-64) can find 
the secret key much faster than by exhaustive search. Also, the number of 
chosen plaintexts required are less than those needed in Knudsen and 
Bersonis attack. Our attack on 6 round SAFER (both SAFER K-64 and 
SAFER SK-64) can find the secret key faster than by exhaustive search. 



1 Introduction 

In [6], Massey proposed an eneryption algorithm, SAFER K-64. It is an iterated bloek 
eipher with 64-bit bloek size. The suggested number of rounds is minimum 6 and 
maximum 10 [6,7]. Knudsen diseovered a weakness in the key sehedule of SAFER and 
suggested a modified version [3]. Later, this new key sehedule was adopted by 
Massey whieh resulted in SAFER SK-64 [8]. Also, Massey suggested 8 rounds to be 
used for SAFER with 64-bit key. The other variants of SAFER with 128-bit key are 
SAFER K-128 and SAFER SK-128 eorresponding to SAFER K-64 and SAFER SK- 
64, respeetively. 

Evidenee was given in [7] that SAFER is seeure against differential eryptanalysis 
[1] after 5 rounds. In [2], SAFER is shown to be seeure against linear eryptanalysis [9] 
after 2 rounds. In [5], Knudsen and Berson applied truneated differential eryptanalysis 
[6] on 5 round SAFER K-64 sueeessfully. Their result showed that the seeret key of 5 
round SAFER K-64 ean be found mueh faster than by exhaustive seareh. However, 
their attaek is not effieient when applied on 5 round SAFER SK-64. Also, their attaek 
eannot be extended to attaek 6 round SAFER sinee too many wrong pairs are not 
filtered out. 

In this paper, we improve the truneated differential eryptanalysis and apply it on 5 
round and 6 round SAFER. We propose better truneated differential and additional 
filtering method in our attaeks. For 5 round SAFER (both SAFER K-64 and SAFER 
SK-64), our truneated differential is with probability of about 2'®^ in average and about 
2^* ehosen plaintexts (a large reduetion in the amount of ehosen plaintexts) are needed 
to find the seeret key. This attaek runs in time similar to 2"*® eneryptions of 5-round 
SAFER. For 6 round SAFER, our truneated differential has a probability of about 2 '^^ 

K. Ohta and D. Pei (Eds.): ASIACRYPTi98, LNCS 1514, pp. 133-147, 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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and about 2^^ chosen plaintexts are needed. This attack runs in time similar to 2^* 
encryptions of 6-round SAFER. 

The paper is organised as follows. Section 2 briefly reviews the SAFER 
algorithms. Section 3 introduces Knudsen and Bersonis truncated differential attack on 
5 round SAFER K-64. In Section 4, we present our attack on 5 round SAFER. Our 
attacks on 6 round SAFER are given in Section 5. Section 6 discusses the strength of 7 
round SAFER and Section 7 concludes the paper. 



2 Description of SAFER 

SAFER K-64 is an iterated block cipher with both block and key sizes of 64 bits and 
with all the operations done on bytes. The key is expanded to 2r -i- 1 round keys each 
of 8 bytes, where the round number r was suggested to be 6 [6] and then 8 [8], 
respectively. Each round takes 8 bytes of text input and two round keys each of 8 
bytes. Each round consists of 4 layers as shown in Fig. 1. 

The first layer consists of xoriing or adding modulo 256 with the first round key. 
In the second layer, the 8 bytes pass through two permutations or S-boxes: X{a) = 

(45 “ mod 25 7) mod 25 6, and the inverse of X, Z(a) = log 4 j (a) mod257 for 
a 0 and Zy(0)= 128. The third layer consists of adding modulo 256 or xoriing 

with the second round key. The final layer is the Pseudo-Hadamard Transformation 
(PHT). It is defined by three layers of the 2-PP[T\ 

2- PHT {x, y) = (2x + y,x + y) 

where each coordinate is taken modulo 256. After the last round, an output 
transformation is applied, which consists of xoriing or adding modulo 256 with the last 
round key and is the same as the first layer of the round operation. We call this the 
last half round in the rest of the paper. 

The PHT -transformation is simply described by a matrix M [6]. Let the input be 
a vector v = [vi,V 2 , ... Vs], then the output is obtained by v-M. M and its inverse 
M ' are given, respectively, by 
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Fig. 1. One round of SAFER 

The 8-byte key is expanded to 2r + \ round keys each of 8 bytes. The original 
key schedule works as follows. Let K = (k^ ) be an 8-byte key. The round key 

byte j in round i is denoted as K. j . The round key bytes are derived as follows: 

fory= 1,2, ...8: K^j = j = kj 
for i = 2,...,2r-l- 1, 

fory = 1,2,... 8: t^ j = j « 3 

fory = 1,2,...8: K.j={t^j+bias\i,j~\)mod256 

where e«3i is a bitwise rotation 3 positions to the left and 
bias\i, y] = X\^X\9i + y]] , where X is the exponentiation permutation. 

Knudsen suggested a modified key schedule for SAFER to eliminate the key 
schedule weakness found by him [3]. Later, this key schedule was adopted for SAFER 
by Massey in [8]. The original SAFER is now called SAFER K-64 and the one with 
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the modified key schedule is called SAFER SK-64. The new key schedule is given 
below. 



K =®]=yki 
fory= 1,2,...9: t^j=kj 
fory=l,2,...8: K,j=t,. 
for i = 2 ,..., 2r + 1: 

for7=l,2,...9: «3 

for j = 1,2, ...8: 

y = +bias{i,j])mo&256 

The 128-bit version of SAFER differs from the 64-bit version SAFER in the 
suggested number of rounds which is 10 and in the key schedule [7]. The key schedule 
consists of two sub-schedules each dealing with 64-bit key separately. The odd 
number round keys are taken from the first sub-schedule and the even number round 
keys from the second. A 128-bit schedule is compatible with its 64-bit version if the 
two 64-bit key halves input to the key schedule are equal. 



3 Knudsen and Berson’s Truncated Differential Attack on SAFER 

Knudsen introduced the concept of truncated differential attack in [4]. Truncated 
differential is a differential that predicts only parts of an n-bit value. Knudsen and 
Berson applied truncated differential attack on 5 round SAFER K-64 successfully [5]. 
Their attack can find the key in time much faster than by exhaustive search. One 
version of their attack needs about 2"*^ chosen plaintexts and runs in time similar to 2"*® 
encryptions of 5-round SAFER. Another version of their attack needs about 2"^^ chosen 
plaintexts and runs in time similar to 2^^ encryptions of 5-round SAFER. We introduce 
their truncated differential attack on SAFER below. 



3.1 Truncated Differential of SAFER 

The notation of i expanded viewi from [7] is used to denote a one round differential by 
three tuples of each 8 entries. The first tuple indicates the difference in the 8 bytes of 
the inputs to the round, the second tuple indicates the difference of the bytes before the 
PHT -transformation and the third tuple indicates the difference of the bytes after the 
PHT -transformation, i.e. the difference of the outputs of the round (it is also the 
difference of the inputs of the next round). A difference of two bytes {a,b) is defined 
as 

{a-b) mod 256 . 

The one round truncated differential is obtained from the properties of the PPIT - 
transformation and S boxes (A and V) . The properties of the PPIT -transformation 
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is obtained from the matrix M. These properties are also listed in the six tables (table 4 
to table 10) of [7]. The properties of the S boxes (X andZ) used in obtaining the 



round differential are listed in table 3 of [6]. Knudsen and Berson listed the one round 
truncated differentials (together with the probability) for SAFER with inputs different 
in less than or equal to four bytes in table 2 and table 3 of [5]. For example, the 
following one round truncated differential is with probability 2'^"': 

[0, 0, a, b, 0, 0, c, d], [0, 0, e, -e, 0, 0, -e, e], [e, 0, 0, 0, e, 0, 0, 0] 



It is denoted simply as 



3478 ^15, p = 2'^'' 



where 3478 denotes that the inputs are different at the bytes 3, 4, 7 and 8 and where 15 
denotes that the outputs are different at the bytes 1 and 5. 

One round truncated differentials can be concatenated to get truncated 
differentials of more than one round. For examples, the following one round truncated 
differentials 

3478 ^15, p = 2-^'^ and 15^ 1357, p = 2‘* 



are concatenated to get a two round truncated differential 

3478 ^15^ 1357, p = 2'^^ 



However, when the one round truncated differentials are concatenated, its 
feasibility need be considered. This problem has been mentioned in [7]. Specifically, 
we note that the input difference of 128 to the S boxes cannot result in output 
difference of 128. Thus some one round truncated differential like 24—^24 cannot be 
concatenated with itself It is also noted that the input difference of 128 to the 
exponential permutation X results in odd output difference. Thus some one round 
differentials like 5—^78 and 78—^3478 cannot be concatenated. 



3.2 Knudsen and Berson’s Truncated Differential Attack on 5 Round SAFER 
K-64 

Before introducing Knudsen and Bersonis truncated differential attack on 5 round 
SAFER, the proposition 4 in [7] is given below: 

Proposition 1. For byte differences AV = V ®V and AV = V — V , 

a) AV ^ 0 if and only if AV = 0; 

b) AV = J2S if and only if AV = J2S; 
cj AV is odd if and only if AV is odd. 
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Knudsen and Bersoms attack on 5 round SAFER K-64 uses the following 4-round 
truncated differential with input difference 

[a, 0 , 0 , b, c, 0 , 0 , d] 

and output difference [0, 0, 0, 128, 0, 0, 0, 0]. There are four differentials in this 
truncated differential which are listed below. The first two differentials are with 
probability of 2'^' The last two differentials are each of probability 2"’^ not 2"’” 
as stated in [5]. Flowever, this small error does not affect Knudsen and Bersonis attack 
too much. 



1458 ^ 1357 ^ 1357 ^ 13^4 ( 2 ) 

1458 ^2468 ^ 1357 ^13^4 (3) 

1458 ^ 1357 ^2468^13^4 (4) 

1458 ^2468 ^2468^13^4 (5) 



The probabilities in the first two rounds are each of 2'*® and the probability in the third 
round is 2'^"'. Now we look at the differential in the fourth round. For the first two 
differentials, the differential in the fourth round is 



[2v, 0, V, 0, 0, 0, 0, 0], [128, 0, 128, 0, 0, 0, 0, 0], [0, 0, 0, 128, 0, 0, 0, 0] 



This round has probability 2 '^ which can be found by direct calculation. Flowever, 
for the last two differentials, the differential in the forth round is 



[v, 0, V, 0, 0, 0, 0, 0], [128, 0, 128, 0, 0, 0, 0, 0], [0, 0, 0, 128, 0, 0, 0, 0] 



This round has a probability of 2 '^ which is also found by direct calculation. So the 
probabilities are each of 2 " for the first two differentials and 2 " for the last two 

differentials. The probability for the 4-round differential is thus 2'^^ ^, not 2'^® ^ as 
stated in [5]. This 4-round differential is concatenated with the fifth round differential 



[ 0 , 0 , 0 , 128, 0 , 0 , 0 , 0 ], [ 0 , 0 , 0 , x, 0 , 0 , 0 , 0 ], [ 2 x, x, 2 x, x, 2 x, x, 2 x, x] 



where the value of x is odd. This differential has probability 1 since the input 
difference 128 to the exponential permutation table always yields an odd output 
difference. 

After the final output transformation consisting of byte wise xoriing and addiing 
with the last round key, the output difference is: 



[zi, X, 2x, Z2, Z3, X, 2x, Z4] ( 6 ) 

where x is odd, Zi and Z 3 are even number while Z 2 and Z 4 are odd number according to 
c) of proposition 1 . 

The probability for this truncated differential is 2 ®® About 2 ™ pairs are needed to 
get one right pair. Every structure consisting of 2^^ chosen plaintexts yields about 

( 2 ^^ X ( 2 ^^ — 1 )) / 2 = 2^^ pairs with the desired input difference. 128 such structures 
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are required to get one right pair, a total of 2^^ plaintexts. This analysis can be 
performed on each structure and thus the memory requirements are 2^^ 64-bits 
quantities. 

The fdtering processes are carried out at the last half round and the first round. The 
filtering at the last half round is carried out firstly. Note that the difference at the 
second byte of the ciphertexts (denoted as x) should be odd. The differences in bytes 
3, 6 and 7 have values 2x, x and 2x, respectively. The differences at the first and fifth 
bytes are even and the difference at the forth and eighth bytes are odd. After 
considering these, all but one out of 2^® pairs are discarded. 2"** pairs are left and each 
of the pair suggests 16 values of the bytes 1, 4, 5 and 8 of the last round key. Next, the 
filtering process is carried out at the first round. After checking whether the suggested 
key yields the desired difference at the output of the first round, every pair suggests 
about 16x2"'^ = 2'" values of 4 key bytes 1, 4, 5 and 8. Totally, 2'*' pairs suggest 
values of the four bytes of the key. An exhaustive key search at this point can be done 
in time about l/2x2^°x2^^ = 2®*. By repeating the attack 64 times (using 2^^ chosen 
plaintexts), the complexity is reduced to 2"^^. The complexity is reduced further to 2^^ 
if the attack is repeated 128 times by using 2^^ chosen plaintexts. 

In the filtering process at the last half round, sorting n items requires about n log n 
simple operations. A method is given in [5] to reduce the time requirements for the 
first filtering process. Let a ciphertext be denoted (C[,...,Cg) which is hashed to 
(Cg —2c2, Cg — C 2 , C-j — 2 C 2 ). The ciphertexts with the same hash value are 
candidates for a right pair after the first filtering process. Thus, the complexity is 
reduced to n simple operations. 



4 Improved Attack on 5 Round SAFER 

Knudsen and Bersonis attack is able to find out the secret key of 5 round SAFER K-64 
much faster than by exhaustive search. However, when it is used to attack 5 round 
SAFER SK-64, the suggested key by each pair is 56 bits and it is infeasible to keep a 
counter for each 56-bit key and repeat the attack. Knudsen and Berson left their attack 
on 5 round SAFER SK-64 as an open problem [5]. In the following, we improve 
Knudsen and Bersonis attack on 5 round SAFER SK-64 by using better truncated 
differential and additional filtering process. Our trancated differential attack on 5 
round SAFER SK-64 needs about 2^* chosen plaintexts and runs in time similar to 2"*® 
encryptions of 5-round SAFER. A similar attack can be applied to 5 round SAFER K- 
64 and the same result can be obtained. Compared with one version of Knudsen and 
Bersonis attack on 5 round SAFER K-64 that requires about 2'^^ chosen plaintexts and 
runs in time similar to 2"^^ encryptions of 5 round SAFER, our attack uses much less 
chosen plaintexts (reduced by a factor of about 2^) and runs in about the same time (if 
the filtering time is not considered). 

4.1 Attack on 5 Round SAFER SK-64 

Our attack on 5 round SAFER SK-64 uses the following 4-round truncated differential 
with input difference 



[0, 0, 0, 0, a, b, c, d] 
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and output difference [0, 0, 0, 0, 0, 0, 128, 0]. There are 8 differentials (see (7)-(14)) in 
this 5-round truncated differential. The probabilities are about 2'^* ^ for half of the 
differentials, and are about 2 '^^ for another half of the differentials. 



5678 ^ 12 ^ 1256 ^15 
5678 ^ 12 ^ 3478 ^15 
5678 ^ 34 ^ 1256 ^ 15 
5678 ^ 34 ^ 3478 ^ 15 
5678 ^ 56 ^ 1256 ^ 15 
5678 ^ 56 ^ 3478 ^ 15 
5678 ^ 78 ^ 1256 ^ 15 
5678 ^ 78 ^ 3478 ^ 15 



^7 


( 7 ) 


^7 


( 8 ) 


^7 


( 9 ) 


^7 


( 10 ) 


^7 


( 11 ) 


^7 


( 12 ) 


^7 


(13) 


^7 


(14) 



The probabilities in the first round and the third round are each of 2'^"' and the 
probability in the second round is 2'*. Now we look at the differential in the fourth 
round. For those differentials with 1256 — » 15 at the third round, the differential in the 
fourth round is 



[2v, 0, 0, 0, V, 0, 0, 0], [128, 0, 0, 0, 128, 0, 0, 0], [0, 0, 0, 0, 0, 0, 128, 0] 



The probability for this round differential varies slightly with values of key and is 
about 2'*® on average. For those differentials with 3478 — ^ 15 at the third round, the 
differential in the forth round is 



[v, 0, 0, 0, V, 0, 0, 0], [128, 0, 0, 0, 128, 0, 0, 0], [0, 0, 0, 0, 0, 0, 128, 0] 



The probability for this round differential also varies with values of the key and is 
larger than 2'*^ ^ on average. So the probabilities are each of 2'^^ for half of the 
differentials and 2'^* ^ for another half of the differentials. The probability for the 4- 
round differential is thus larger than 2'^* ® on average. This 4-round differential is 
concatenated with the fifth round differential 



[ 0 , 0 , 0 , 0 , 0 , 0 , 128, 0 ], [ 0 , 0 , 0 , 0 , 0 , 0 , x, 0 ], [ 2 x, 2 x, x, x, 2 x, 2 x, x, x] 



This differential has probability 1 . 

After the final output transformation consisting of byte wise xoriing and addiing 
with the last round key, the output difference is: 



[Zi, 2 X, X, Z2, Z3, 2 x, X, zj ( 15 ) 

where T\ and Z 3 are even numbers while the least significant bits of Z 2 and Z 4 are the 
same as that of x according to c) of Proposition 1 . 

The probability for this differential is about 2'^* About 2^® pairs are needed to get 
one right pair. Every structure consisting of iP' chosen plaintexts yields about 2^^ pairs 
with the desired input difference. 64 such structures are required to get one right pair, 
a total of 2^* plaintexts. The analysis can be performed on each structure and thus the 
memory requirements are 2^^ 64-bit quantities. 
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The filtering processes are carried out at the last half round, the first round and the 
fifth round. The filtering process at the last half round is very similar to that in 
Knudsen and Bersonis attack except that the value of x may be odd and even. After 
this filtering process, 2"** pairs are left. Each pair suggests 16 values for the bytes 1,4,5 
and 8 of the last round key {Ki \^\Kx 14 i.s)- H is the same as to say that 1 6 values 

are suggested for ^ 2 , ^ 5 , K and kg according to the key schedule of SAFER SK-64. Next 
we carry out the filtering process at the first round. For each of these 16 values, the 
check in the first round of differentials will give us about 2 '^ values of the key bytes ks, 
k(„ kj and ks. Thus, each remaining pair suggests 16x2'^ = 2'^ values for the key bytes 
ki, ks, ks, ki, ks and kg. The remaining 2"*' pairs suggest 2^® values for these 6 key bytes. 
We denote each remaining pair with one of its suggested 48-bit key as a unit. We are 
left with 2 ^® units after the filtering processes at the last half round and at the first 
round. An exhaustive key search at this point can be done in time about x 2^® x 2*^ = 
2^"*. However, an additional filtering process at the fifth round will reduce the 
complexity of the key search by a factor of 2*. This additional filtering process is the 
major improvement of our filtering processes compared with that of Knudsen and 
Berson. Before introducing this filtering process at the fifth round, we first present the 
following theorem. 

Theorem 1. Consider the following two equations (X denotes the exponential 
permuation) 

X[V © .^] - X[V' © .^] = 128 
AV = V-V' 

Then each pair {XV ,K ) suggests one value of V on average. 

Proof: The result is obtained by direct calculation. 

In applying Theorem 1 , all the solutions (AV,K,V) are precomputed, so that 
table lookup can be used to find out the value of V quickly once the values of 
AV awAK are given. 

For the fifth round, the value at the seventh byte of the input to the PHT- 
transformation is expressed as 

V = (q ®K,,,)-2{c, -^„,2)-(C3 -^h,3) + 2(C4 ©^„,4) 

- 2(c5 © 15 ) -b 4 (Cg - 1 g ) -b 2 (c 7 - i^i 1 7 ) - 4 (Cg © ) ( 16 ) 



This expression is obtained by using the expression oi M ^ , see (1). If the value of 
V is known, (16) reveals 8 -bit information of the key. Since the key bytes k 2 , ks, ks, V, 
ks and kg are suggested already, the values of(iirjiiArii 4 .^115 -^iis) 

are suggested. So (16) can be written as 



2 ^ 11 , 2 +^ 11 , 3 = 2 ’ ( 17 ) 
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where T is calculated from 



r = F-((Cj ® -C3 +2(c 4 ©iCjj4)-2(c5 ©iCjjj) 

+ 4(c, - + 2(c, - K,, ., ) - 4(c, © ^,, 3 )) (18) 

Next we carry out the filtering process at the fifth round. We are left with 2^^ units 
after the filtering processes at the last half round and at the first round. For each unit, 

we know the values of x (the output difference at the third byte) and ^ (which is 

derived from k-j according to the key schedule of SAFER SK-64), they are the AK and 
K in Theorem 1, respectively (the S box L in the encryption becomes S box X in the 
decryption). So each unit suggests one value of V on average according to Theorem 1. 
The value of V is used to calculate the value of T in (18). From (17), we can predict 
8-bit value for the key 2 Thus, each unit suggests 2* values for the 64-bit 

key and 2^® units suggest 2^® x 2* = 2"*’ values for the 64 bit key. The rest of the key 
can be found out by exhaustive key search in time about x 2"*’ = 2"*^ encryptions of 5- 
round SAFER. 

Compared with Knudsen and Bersonis attack on 5 round SAFER K-64, the 
truncated differential used in our attack is better. Consider one of the truncated 
differentials in Knudsen and Beronis attack 

1458 ^ 1357 ^ 1357 ^ 13^4 

The probabilities of the truncated differential for the first round and second round are 
each of 2"’®. So the probability of the truncated differential for the first two rounds is 2" 
The filtering process at the first round has the filtering power of about 2'^ (which 
means that it is able to discard all but one out of 2*^ suggested keys). Letis consider 
one of the truncated differentials used in our attack 

5678 ^ 12 ^ 1256 ^ 15 ^ 7 . 

The probabilities for the first round and second round are 2'^"' and 2 * respectively. So 
the probability of the truncated differential for the first two rounds is 2'^^. This 
probability is the same as that of Knudsen and Berosn. But the filtering process at the 
first round has the filtering power of about 2^"*, about 2* times larger than that in 
Knudsen and Bersonis attack. So we see that the differential in our attack increases the 
filtering power at the first round by a factor of about 2* while keeping the probabilities 
almost the same as that in Knudsen and Bersonis attack (when we consider only one of 
the differentials). 

An additional filtering process at the fifth round is also used in our attack. A 
similar filtering process can be applied in Knudsen and Bersonis attack and can 
increase the filtering power by a factor of about 2' . 
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4.2 5 Round SAFER K-64, SAFER K-128 and SAFER SK-128 

Our attack on 5 round SAFER K-64 is very similar to that on 5 round SAFER SK-64. 
The same differential is used and the same result is obtained. Our attack is much better 
than the attack on 5 round SAFER K-64 in [5] as mentioned at the beginning of this 
section. 

For 5 round SAFER K-128, the attack in [5] is better than of ours. Applying our 
attack to 5 round SAFER K-128 directly, 2^® chosen plaintexts suggest 2®^ values for 
80 bits of the key. The filtering process is much tedious and it is infeasible to repeat 
the attack since the memory requirement is too large. 

For 5 round SAFER SK-128, our attack seems better than the attack in [5] since 
here our truncated differential and the fdtering process can predict 17 bits information 
of the 128-bit key while Knudsen and Bersonis attack can determine only two bits of 
the key. However, both our attack and the attack in [5] cannot be carried out in 
reasonable time. 



5 Attack on 6 Round SAFER 

Knudsen and Bersonis attack is not successful to 6 round SAFER [5]. We improve 
their attack by using similar methods as we used in attacking 5 round SAFER. Our 
differential attack on 6 round SAFER (SAFER K-64 and SAFER SK-64) needs about 
2^^ chosen plaintexts and runs in time similar to 2^* encryptions of 6-round SAFER. 

5.1 Attack on 6 Round SAFER-K64 

Consider the following 5-round truncated differential with input difference 

[0, 0, a, b, 0, 0, c, d] 

and output difference [0, 0, 0, 128, 0, 0, 0, 0]. There are 16 differentials in this 
truncated differential. The probabilities are 2'*^ for half of the differentials, and are 2" 
for another half of the differentials. These probabilities are determined in a very 
similar way as in Section 3.2. These differentials are 



3478 ^15^ 1357 ^ 1357 ^13^4 (19) 

3478 ^ 15 ^ 1357 ^2468 ^ 13^4 ( 20 ) 

3478 ^ 15^2468 ^ 1357 ^ 13^4 ( 21 ) 

3478 ^ 15^2468 ^2468 ^ 13^4 ( 22 ) 

3478 ^48^ 1357 ^ 1357 ^13^4 (23) 

3478 ^48^ 1357 ^2468 ^13^4 (24) 

3478 ^48^2468^ 1357 ^13^4 (25) 

3478 ^48^2468^2468 ^13^4 (26) 

3478 ^26^ 1357 ^ 1357 ^13^4 (27) 

3478 ^26^ 1357 ^2468 ^13^4 (28) 

3478 ^26^2468^ 1357 ^13^4 (29) 

3478 ^26^2468 ^2468 ^13^4 (30) 

3478 ^37^ 1357 ^ 1357 ^13^4 (31) 

3478 ^37^ 1357 ^2468 ^13^4 (32) 
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(33) 

(34) 



3478 ^ 37 ^ 2468 ^ 1357 ^13^4 
3478 ^ 37 ^ 2468 ^ 2468 ^13^4 

The 6 round differential is 



[ 0 , 0 , 0 , 128, 0 , 0 , 0 , 0 ], [ 0 , 0 , 0 , x, 0 , 0 , 0 , 0 ], [ 2 x, x, 2 x, x, 2 x, x, 2 x, x], 



where the value of x is odd. This differential has probability 1 sinee an input differenee 
128 to the exponentiation permutation always yields an odd output differenee. 
Therefore we obtain a 6 round truneated differential with input differenee [0, 0, a, b, 0, 
0 , e, d] and output differenee [ 2 x, x, 2 x, x, 2 x, x, 2 x, x] for odd x and with a probability 
16 X 2'*’ ‘’ = 

We need about 2^^ pairs to get one right pair. We ean use struetures of eaeh 2^^ 
plaintexts yielding 2^^ pairs with the desired differenee in the inputs. Therefore about 
2^* struetures are needed, a total of 2^^ plaintexts. We ean perform our analysis on 
eaeh strueture and thus the memory requirements are 2^^ 64-bit quantities. 



After the final transformation in SAFER, the output differenee is 



[zi, X, 2x, Z 2 , Z 3 , X, 2x, zj (35) 

where x is odd and Zi and Z 3 are even numbers while Z 2 and Z 4 are odd numbers. 

The filtering proeesses are earried out at the last half round, the first round and the 
sixth round. Firstly, we earry out the filtering proeess at the last half round. This is the 
same as that in Knudsen and Bersonis attaek on 5 round SAFER K-64. 2^^ pairs are 
left and eaeh pair suggests 16 values for the bytes 1, 4, 5 and 8 of the last round key. 
Next we earry out the filtering proeess at the first round. For eaeh of these 16 values, 
the eheek in the first round of differentials will give us about 2 '^ values of the key bytes 
k 3 , k 4 , k^ and ks. Thus, eaeh remaining pair suggests 16x2'^ = 2"^ values for the key 
bytes ki_ k 3 _ k 4 _ ks_ kj and kg. Flenee, 2^^ pairs suggest 2^^ values for these 6 key bytes. 
We denote eaeh pair with one of its suggested 48 bit key as a unit. We are left with 2^^ 
units. Then we earry out the filtering proeess at the sixth round. It will inerease the 
filtering power by a faetor of 2^. Before the diseussion of this filtering proeess, we 
introduee the following theorem. 

Theorem 2. Consider the following two equations where L denotes the logarithmie 
permutation: 

L[V]-L[V'] = 12S 
AV = V-V' 

Then eaeh odd value of AK suggests two values of V . 

Proof: The result ean be obtained by direet ealeulation. 

To use this theorem effieiently, all the solutions (AV ,V ) are listed in a table so 
that table lookup ean be used to find V quiekly when AF is given. 

For the fifth round, the fourth byte of the output of the S box is expressed as 
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V = ((c, 2(c, - ^,3 3 ) + 2(c, © ^13,4 ) - 

2(Cs © ^13,5 ) + 2(Cg - iCi 3 g ) + 4 (c 7 - iCi 3 7 ) - 4(Cg © K^J g )) - K^2^4 (36) 

If the value of V is known, (36) indicates 8 bits information of the key. Since the key 
bytes ^ 3 , ^ 4 , ks, ki and ks are suggested already, the values of (.^13 1 3 4 

5 7 8 ) ^re suggested. So (36) can be written as 

-^13,2 ~ 2iCj3 g = r (37) 

where T is calculated as 

T = V + K^2a - ((^1 ® ^13,1 )-'2c2~ 2(Cj - ) + 2(c4 © ) 

- 2(c5 © K^2,5 ) + 2cg + 4 (c7 - ) - 4(Cg © )) (38) 

Now, we carry out the fdtering process at the sixth round. We are left with 2^^ 
units after the filtering process at the last half round and the fdtering process at the first 
round. For each unit, we know the values of x (the output difference at the third byte), 
it is AV in Theorem 2 (we note that the S box X in encryption is the S box Lin 
decryption). So each unit suggests two values of V . The value of V is used to 
calculate the value of T in (38). Each value of W suggests 2 * values for the key 
ATj 3 2 and 6 ■ Thus, each unit suggests 1? values for the 64-bit key and 2^^ units 

suggests 2^^ X 2® = 2^^ values for the 64 bit key. The rest of the key can be found by 
exhaustive search in time about Q x 2® = 2®' encryptions of 6 -round SAFER. 



5.2 Attack on 6 round SAFER SK-64 

To attack 6 round SAFER SK-64, we use the same truncated differential and similar 
filtering process as that in the attack of 6 round SAFER K-64. This attack needs about 
2^^ chosen plaintexts and runs in time similar to 2®’ encryptions of 6 -round SAFER. 
The result is the same as that obtained in the attack on 6 round SAFER K-64. 

The filtering processes carried out at the last half round is the same as that in the 
attack of 6 round SAFER K-64. After this filtering process, about 2^^ pairs are left, 
each pair suggests 16 values for the bytes 1, 4, 5 and 8 of the last round key. It is the 
same as to say that 16 values of ^2 ^ 4 , ki and k^ are suggested by each remaining pair. 
The filtering processes at the first round and the sixth round are different from those in 
Section 5.1 due to the difference in key schedules. Next, we carry out the filtering 
process at the first round. For each of these 16 values, the check in the first round of 
differentials will give us about 2"'"' values of the key bytes k 3 , k 4 , k 7 and ks. Thus, each 
remaining pair suggests 16X2'’"* = 2''° values for the key bytes ^ 2 , k, ^ 4 , ^ 7 , ^s- The 
remaining 2^^ pairs suggest 2"*^ values for these 5 key bytes. We denote each pair with 
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one of its suggested 40-bit key as a unit. We are left with 2'^^ units. Then we carry out 
the filtering process at the sixth round. 

Since the key bytes k2, ks^ k4_ ky and kg are suggested already, the values of ( j 
^13,4 ^13.5 ^13. g ) are suggested. So (36) can be written as 

'^13,2 2-^133 g j ~ ^\2,4 (39) 

where T is calculated as 

T = V- ((Cj © Ky^ y ) - C 2 - 2c 3 -b 2 (c 4 © iCi 3 4 ) 

— 2(c3 © .STj 3 5 ) + 2cg + 4c j — 4(cg © .STj 3 g )) (40) 

Also, we note that 

= ky @ k2 ® @ kjy @ .... © k^ (41) 

Now, we continue with the filtering process. We are left with 2"^^ units. For each unit, 
we know the value of x (the output difference at the second byte), it is the AK in 
Theorem 2. So each unit suggests two values of V . The value of V is used to 
calculate the value of T in (40). For each value of T’ , we can solve for 2*^ values of 
k\, ks and k(, (It can be done simply through table lookup as explained later). Thus, 
each unit suggests 2*^ values for the 64-bit key and 2"*^ units suggests 2"*^ x 2'^ = 2^^ 
values for the 64-bit key. The rest of the key can be found out by exhaustive search in 
time about x 2^^ = 2^’ encryptions of 6-round SAFER. This result is the same as that 
obtained in the attack on 6 round SAFER K-64. 

In the fdtering process at the sixth round, we need to find the value of k\, ks and k(, 
when the value of T is given. It can be done in short time through table lookup. From 
(39), (41) and the information that {Ky^^ -^133 ) derived 

from (^6 ks k(, A9 ki) respectively, we can precompute the values of k\, ks and Ae for all 
the values of T and list the results in a table. In the filtering process, once the value of 
T is known, we can obtain the related 2'^ values through table lookup. Thus, this 
filtering process can be implemented in relatively short time. 



6 7 Round SAFER 

For 7 round SAFER, we apply the similar truncated differential as that in the attack on 
6 round SAFER. It has input difference [0, 0, a, b, 0, 0, c, d] and output difference [2x, 
X, 2x, X, 2x, X, 2x, x] with a probability of about 2'®^. To get a right pair, 2^* chosen 
plaintexts are required. Thus, it is impossible to carry out our attack. 
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7 Conclusion 

In this paper, we improved the truncated differential attack on 5 round SAFER SK-64. 
We also carried out attacks on 6 round SAFER K-64 and SAFER SK-64. Our attack 
on 5 round SAFER SK-64 can find out the secret key in time much faster than by 
exhaustive search. Also, our attack uses less chosen plaintexts compared with 
Knudsen and Bersonis attack. Our attack on 6 round SAFER runs in time faster than 
by exhaustive search. However, our attack is not efficient when applied to 7 round 
SAFER. We strongly believe that 8 round SAFER is invulnerable to our attacks. 
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Appendix 

For the attack of 5 round SAFER SK-64, we illustrate one of the differentials to show 
the detail of the truncated differential. This example differential is 

5678 ^ 12 ^ 1256 ^ 15^7 

1st round: [0, 0, 0, 0, a, b, c, d], [0, 0, 0, 0, e, -e, -e, e], [e, e, 0, 0, 0, 0, 0, 0], p = 2'^'' 

2nd round: [e, e, 0, 0, 0, 0, 0, 0], [f, -f, 0, 0, 0, 0, 0, 0], [4f, 2f, 0, 0, 2f, f, 0, 0], p = 2‘® 
3rd round: [4f, 2f, 0, 0, 2f, f, 0, 0], [g, -g, 0, 0, -g, g, 0, 0], [2g, 0, 0, 0, g, 0, 0, 0], p = 

4th round: [2g, 0, 0, 0, g, 0, 0, 0], [128, 0, 0, 0, 128, 0, 0, 0], [0, 0, 0, 0, 0, 0, 128, 0], 

The probability for this round varies with the key and is larger than 2 *^ ^ in average. 
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Abstract. In recent years, three main types of attacks have been de- 
veloped against Feistel-based ciphers, such as DESQ; these attacks are 
linear crypt analysis 0, differential cryptanalysis|]j, and the Davies and 
Murphy attackj^]. Using the discrete Fourier transform, we present here a 
quantitative criterion of security against the Davies and Murphy attack. 
Similar work has been done on linear and differential crvntaualvsis pITTj . 



1 Introduction 

The Feistel scheme is a simple design which allows, when suitably iterated, the 
construction of efficient block cipher, whose deciphering algorithm is implemen- 
ted in a similar way. The most famous block cipher using a Feistel scheme is 
DES, where the scheme is iterated 16 times, with 16 subkeys extracted from a 
unique masterkey. The deciphering algorithm is just the same; the only difference 
is that the subkeys are taken in reverse order. 

The masterkey of DES is only 56 bits long; this is vulnerable to exhaustive 
search. Indeed, specialized DES chips, able to calculate half a million DES ciphers 
per second, have been considered since 19870 and their cost evaluated; it is 
estimated that a five millions dollars machine using a few thousands of such 
chips could break a DES with a single plaintext /ciphertext pair in two or three 
hours0; other more recent estimates give lower prices, thanks to continuous 
technological progress. More recently, following a challenge proposed by RSA 
Inc., a 56 bits DES key was retrieved from a plaintext/ciphertext pair using 
only the idle time of a few thousands generic purpose workstations around the 
world 0. 

Although exhaustive search is quite feasible, other attacks have been deve- 
lopped. These may be applicable to other schemes than DES. The first one was 
differential crypt analysis 0; it was based upon the existence of pairs of plain- 
text, so that the corresponding ciphertexts differ in some predictable way related 
to the difference of the plaintexts, with a small but not negligible probability. 
DES appeared to be extremely well protected against this cryptanalysis, and, in- 
deed, it is now established that the NSA, which created DES as an improvement 
over the Lucifer scheme from IBM, knew about this attack and strengthened its 
algorithm against it. The attack requires 2'^’^ chosen plaintexts and their corre- 
sponding ciphertexts 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 148-^^^ 2000. 
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In 1993, following his earlier work, Matsui0 discovered linear cryptanalysis, 
which exploited some linear properties of DES; more specifically, Matsui was able 
to build a linear equation of some of the bits of the plaintext, the ciphertext and 
the key, which stand with a probability slightly different from 0.5. Matsui descri- 
bed and implemented a method to use this equation in order to recover a DES 
key from 2'^^ plaintext/ciphertext pairs. The linear and differential cryptanalysis 
have been unified in a common formalism by Chabaud and Vaudenay|^. 

In 1993, Davies and Murphy^ presented another attack, which uses the fact 
that the output of the confusion function used in the Feistel scheme is not truly 
random, and that this bias depends upon several key bits. Using a large quantity 
of plaintext/ciphertext pairs, it is thus possible to guess these key bits with a 
reasonnable probability of success. This attack has not proven very efficient in the 
case of DES, but the same attack may work on other Feistel-based ciphers. The 
resistance of a Feistel-based cipher against linear and differential cryptanalysis 
has already been formally quantified|3; we present here a similar quantification 
for the Davies and Murphy attack. 

2 Notations 

We here present a description of the Feistel scheme that is used in DES. More 
complete explanations may be found in 

We consider a message space A4 which consists of binary messages of a fixed 
length; we assume that this length is an even number, so that the messages may 
be divided in two parts of same length (the left one, with the most significant 
bits, and the right one, with the least significant bits). We note Af the space of 
half- messages. 

We also consider a confusion function / which takes two arugments, one from 
Af and the other, K, from a subkey space denoted /C; / returns a value in Af. 

If we consider a message (L,R) where L and R are in A/", the Feistel scheme 
calculates the message {L',R'), so that: 

L' = R 

R' = L® f(R, K) 



where © is the bitwise “exclusive or” operation. 

Such a scheme can be iterated several times, with different subkeys. Each 
iteration will be called a round. If we have r rounds, we can note (Li,Ri) the 
input of the f-th round (i is between 1 and r) and (Li+i, its output. The 

subkey used for round i is named Ki. We then have the following equations: 



Ri+1 = Li® f{Ri, Ki). 
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When used in a cryptographic scheme, L^+i and Rr+i are often exchanged. 
Thus we have: 



{L,R) = (LuRi) 
{L',R') = {Rr+l,Lr+l). 



With this last operation, the deciphering operation is implemented exactly the 
same way the enciphering is; only the subkeys Ki are taken in reverse order. 

A four-rounds Feistel cipher is schematically represented in the figure 1. 

In DES, there are 16 rounds (r = 16) and the elements of Af are 32 bits long. 
The subkeys are 48 bits long, extracted from a 56 bits masterkey with a fixed 
and public algorithm. A known permutation is applied to the message before 
entering the 16 consecutive Feistel rounds, and the reverse of this permutation 
is applied afterwards. These permutations are fixed by the standard and can be 
easily inverted, so we forget them here. 

We may note an interesting property of such ciphers; this property was dis- 
covered and used by Davies and Murphy in their attack^. For each round i, we 
have: 

f{Ri, Ki) = Li (B Ri+i 



and, if i is not r: 

Ri+l = Li+2- 

Therefore, if i is not r, we have: 

f(^Rif Ki) = Li 0 Z/j_|_2. 

This remark is true for each round except the last one (where i + 2 has no sense) . 
If we take the exclusive or of these equations for i even, we obtain the following: 

r/2 

R(B L' = f{R2j, L2j). 

1=1 

We can make the same operation with the odd rounds, and get the following 
equation: 

r/2 

L(B R' = /(i?2i-l, L2i-l). 

i=l 

Each plaintext/ciphertext pair thus gives access to the XORed value of the 
outputs of the / functions of the even rounds, and also the XORed value of 
the outputs of the / function of the odd rounds. That is why a non-uniform 
distribution of the output of the / function may be revealed by observing a 
large quantity of plaintext/ciphertext pairs. 
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3 Davies and Murphy Attack 

This attack was presented in ^ and improved by Biham and Birviikov| ll)j. 

We assume that there exists a pattern of n bits, in the output of /, so that 
the 2" values this pattern may get are not equidistributed, for a given key K and 
uniformly distributed random input R. We also assume that the distribution of 
the 2" values may vary with some bits of the key, in a theorically predictable 
way. Thus, we have a set of possible distributions, depending on the key, and 
identifying the actual distribution in this set gives us some information on the 
key. 

In the standard DES, we can consider the output of two neighbouring S- 
boxes in the i-th round. This is an 8-bit output; these 8 bits can be observed in 
the output of the / function: in the DES, a fixed permutation is applied to the 
output of the S-boxes, and this permutation is the same for the 16 rounds; so 
the 8 bits form a fixed pattern in the output of /. 

Two neighbouring S-boxes have an input size of 12 bits; 12 bits of Ki but 
only 10 bits of Ri are combined to be used as this input. Two bits of Ri are 
duplicated; the two instances of each of these bits are XORed with two different 
key bits, and then go into the two S-boxes. This is shown in the figure 2. 



K 




Figure 2: two neighbouring S-boxes in the DES 



For each duplicated bit, the key bits condition whether the two instances of 
this bit are equal or opposite when entering the two S-boxes. For random R, this 
only implies a non-uniformity of the 12 bits input of the two S-boxes. There are 
two duplicated bits, and therefore four possible sets of 12 bits inputs, depending 
upon four key bits. Theses sets and the according output distribution of the two 
S-boxes can be easily enumerated. 

As noted in section 2, for each plaintext /ciphertext pair, we have access to 
the XORed value of the outputs of the / functions of odd rounds, and thus access 
to the XORed value of the corresponding 8-bits paterns. If each / function of 
each round may have four output distributions, then the XORed value of 8 such 
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outputs may take 165 possible distributions: the XOR is commutative, so that 
the order of the rounds does not matter; what only matters is the number of 
distributions of each of the four types described above. This leads to (3^) = 165 
possibilities. 

Strangely enough, in DES, we end up with only two possible distributions; 
this is due to the specific definition of S-boxes (for a S-box, the output is a per- 
mutation of the 16 values taken by the four middle bits, and the two extreme 
bits determine which permutation to apply among four), which leads to some 
simplifications in the enumeration of the distributions. The details of this cal- 
culation may be found in ^ . The actual distribution depends upon the XORed 
value of several key bits (that is, an indirect key bit, that help us reduce the 
complexity of the exhaustive search of the key) . 

Therefore, identifying the actual distribution among the two possible reveals 
one indirect key bit. As this can be done for odd rounds as well as for even 
rounds, with the same plaintext/ciphertext pairs, the attack may give us two 
key bits. 

The most efficient statistical test known is the maximum likelihood method: 
for each of the possible distributions, one calculates the probability of the event 
actually measured; the distribution which gives the highest probability is then 
supposed to be the right one. In the case of DES neighbouring S-boxes, we then 
have two distributions, which may be represented as two vectors u and v in 
Ui with i between 0 and 255 is the probability of obtaining the 8-bits value i. 
Obviously, for each i, Ui is a real number between 0 and 1, and we have: 

255 



= 1 . 



2=0 



We can also define (and similarly v^) where 



Thus we have: 

255 

i=0 

As a consequence of the peculiar definition of S-boxes, we have: 

u' + v' = 0. 

More detailed explanations about this fact may be found in P|; this is not a 
general property of Feistel schemes, but an artefact of the structure of the S- 
boxes. 

Let us assume that we have access to M plaintext /ciphertext pairs; among 
these M pairs, each 8-bits value i appeared rrii times. If the theorical distribution 
is u, the probability of such an event is: 



255 

Pi = n 
2=0 
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P 2 is also defined, in the v case. Comparing pi and p 2 is equivalent to comparing 
their logarithms. We have: 



255 

log Pi = log Uj. 

z=0 



So we have: 

255 ^ 

log Pi = ^ TOi log(— + m') 

i=0 

As the sum of all mi’s is M, we have the following: 

255 

log Pi = ^milog(l + 256w^ — M log 256 

i=0 



As 256m' is relatively small, compared to 1 (for a perfect cipher, u' should be 0; 
DES is well-designed, and a simple experiment on a few millions random plain- 
texts confirms that the deviation u' we deal with is really small, and thus many 
pairs plaintext/ciphertext are required), we can approximate the logarithms on 
the right hand side, which gives: 



255 

log Pi -I- M log 256 « 256 ^ m^M'. 

i=0 



Similarly, we have: 



255 

logp 2 -I- M log 256 « 256 m,iv[. 

i=0 

Thus we compare the scalar product of m with u' and the scalar product of 
m with v' . We can bound these products using euclidian norms over If we 

note N{x) the euclidian norm of x, our two scalar products are: 

s\ = m ■ u' < N{m)N{u') 

S 2 = m ■ v' < N{m)N{v'). 



m is what we obtain by analyzing the plaintext/ciphertext pairs; it follows a 
precise distribution, but may vary around this one. rrii is a random variable 
which counts the number of times the pattern value i was obtained among the M 
pairs. The probability of obtaining i for each pair is close to 1/256, therefore the 
mean value of rrii is close to Mj256, and its variance is near (M/256)(255/256), 
which we approximate by Mj256. 

So the difference between m and its theorical value (namely M times its dis- 
tribution vector) is a vector whose coordinates have an average absolute value 
of (-\/M)/16; so the norm of this vector is close to '/M (where N{m) is close to 




Optimal Resistance Against the Davies and Murphy Attack 155 



M/16). To conclude anything from the pairs plaintext/ciphertext, the expected 
deviation (the difference between si and S 2 ) must not be smaller than the stan- 
dard deviation (which is the average deviation of a measure from its distribution 
— when dealing with uni-dimensional random variables, the standard deviation 
is the square root of the variance). Therefore, M must be sufficiently big so that: 

N{m){N{u') + N{v')) > \/M. 

This can be rewritten: 

256 

M > 7 

- {N{u') + N{v')Y 

In the actual DES, this leads to an attack with at least 2®^ pairs, which may 
reveal two key bits. This is achieved with the two S-boxes 7 and 8. With 2^® 
pairs, the probability of success of the attack (that is, guessing correctly the two 
indirect key bits) is above 50%. The other pairs of S-boxes are much worse, as 
far as we deal with attacks. 

4 The General Feistel Scheme Case 

We now consider the general case of the Davies and Murphy attack; thus we 
ignore all simplifications induced by the specific definition of DES. We have a 
Feistel-based cipher, with r rounds (r is even), with a confusion function /, so 
that n particular bits of the output of the / function form a pattern whose 2” 
possible values are not equidistributed. We also assume that the distribution 
of these values may vary, depending on some of the key bits of the considered 
round. We suppose we have q possible distributions, represented by q vectors of 
, denoted as u^, u®. 

For each plaintext/ciphertext pair, we have acces to the XORed value of r/2 
patterns of n bits. This value follows a distribution which depends upon some 
key bits; we can theorically calculate these distributions, and we want to be able 
to determine, using several plaintext/ciphertext pairs, which distribution among 
the possible ones is the one actually in use; this would give us the corresponding 
information about the key bits involved. 

The XOR operation is commutative; in each round, the pattern may have 
one distribution among q; what only matters in the distribution of the XORed 
value of the r/2 patterns is the number of each distribution we have among the 
r/2 rounds. The number of possible combinations is then: 

Some of these distributions may in fact be alike, just as is the case with DES, 
where there are only two distributions. 

We now introduce another representation for distributions of n-bits patterns, 
that we considered for the moment as vectors in . Such a vector can be 
viewed as a function from Z 2 to R, which associates to an n-bit binary vector 
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the coordinate associated with the integer number the binary vector represents. 
Such a function may be decomposed using Fourier transform^. 

We consider the Fourier basis of function Vy for each vector y in Z 2 , so that 
for each vector x, we have: 

Vy(x) = 

where y ■ x denotes the scalar product of y and x (namely the number of bits set 
to 1 in ykx, where & is the bitwise AND operation). 

If a is a function from Z2 to R, we can compute its Fourier coefficients a{y) 
(for each vector y) as follows: 

a{y) = ^a(a;)z;y(x). 

X 

Using these coefficients, we can find the a function with the inverse Fourier 
transform: 

a(x) = 2~^''^a{y)vy{x) = 2~^d{x) 
y 

for each vector x. 

The XOR operation between the output of two rounds of the cipher is, in the 
Fourier formalism, a convolution of the two distributions of outputs. Indeed, if a 
is the function representing the distribution of the output of the first round, and 
b is the output of the second round, then the distribution of the bitwise XOR of 
these two rounds will be c, where, for each x: 

c{x) = 

y^z—x 

But, the addition in Z 2 is nothing else that the XOR operation, and, for each 
X, we have x © a; = 0. Therefore, the equation may be rewritten this way: 

= '^a{x - y)b{y). 

V 

A convolution is simply calculated by multiplying term by term the Fourier 
coefficients. This means that, using the preceding notations, we have, for each 
x: 

c{x) = d{x)b{x). 

We shall prove a similar property for the deviations to equiprobability: if we 
consider a', b' and c' such that a(a:) = + a' {x) for all x, then, if c is the 

convolution product of a and b, then c' is the convolution product of a' and b' . 
Indeed, if we note d the constant function equal to 2“", its Fourier coefficients 
d{x) are 1 if a; = 0, 0 otherwise. Therefore, we have the following: 

d = d' + d 
b = b' + d 
c= c' + d 
c= db 
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So we have, by replacing a, b and c in the last equation by their expression in 
a', b' and c': 

c + d = aV + f? + d{a + V) 

We have clearly cP = d (as d{x) = 0 or 1 for each x), and a'(0) = b'{0) = 0 (for 
a function u, the first Fourier coefficient m( 0) is the sum of all its values over Z 2 , 
so it is 0 in the case of a' and b', as these are the deviation of a distribution to 
the uniform distribution, which is the constant function equal to 2“"). 

In order to set a minimal bound for the complexity of the Davies and Murphy 
attack, we want to get a maximal bound for the size of the deviation of the 
pattern of the output of the / function to the uniform distribution. If we consider 
the m/M vector, this will follow the distribution a, which deviates from the 
uniform distribution by a' . The m vector comes from an actual “measure” (the 
plaintext/ciphertext pairs), so it will deviate from its distribution by an average 
distance of -\/M (this is the same calculus as at the end of the section 3) . We use 
the maximum likelihood method, so we compare the scalar products of m with 
the possibles deviations to equidistributions. 

So we find that, if T is a maximal bound for the euclidian norm of the 
deviation (in ), the scalar products we consider are the number M of plain- 
text/ciphertext pairs needed for a succesful attack must be such that: 

2«/2 - 



{2Y is a maximum for the distance between two possible distributions) which 
can be rewritten this way: 



M > 



4Y2 



We note that this result stands with the approximations used in the section 3, 
in particular n is big enough to neglect 2“” with respect to 1. 

All we need is the value of Y . If the function of the distribution of the XORed 
value of the output of the r/2 rounds is a, then we may obtain Y from its Fourier 
coefficients a. Indeed, the euclidian norm over corresponds to the norm 
in the function space, and the scalar product becomes the following: 



a ■ b = a(x)b(x) 

X 



The Fourier transform simply computes the coordinates of a function a' over the 
orthogonal basis {vy). All Vy have 2"/^ as norm. We can therefore calculate 
the norm of a function a using the Fourier coefficients a: 

N{a') = 2-"/2Af(a') 



Therefore we have: 

N{a) < 2”/2niax|a(a;)| 

X 

where N{a) is the norm of a. Thus, we have the proposed value Y : 

Y = max |a(x)| 

X 
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We have seen that the Fourier coefficients of a are obtained by multiplying 
those of the functions associated to each round. We then have the following 
security criterion: 

— Calculate the Fourier coefficients of the functions representing the possible 
bias towards equiprobability of the distribution of the chosen pattern in the 
output of the confusion function of one round. This is done in the DES by 
expliciting the distribution of the pattern, by exhaustive enumeration of the 
possible inputs of two neighbouring S-boxes. 

— Take the largest of these coefficients in absolute value, noted /r. 

— Raise it to the r power. 

— This peculiar pattern is secure against Davies and Murphy attacks up to: 

1 

4 ^ 

The global security of the scheme is therefore a question of enumeration of 
possible biased patterns. The criterion uses some approximations, so the actual 
security may in fact be higher. In the DES case, with the same pattern as the one 
used by Davies and Murphy to find the attack in 2®^ (but Davies and Murphy 
consider the attack as useful only if it gives two correct key bits with a probability 
better than 0.5, and therefore calculate a complexity of 2^® in this case) we find 
a security of at least 2®^. 

5 The Approximations Used 

It must be noted that we made, in the calculation, several approximations. The 
main one is that we want to bound the euclidian distance between possible 
distributions, and we do it by bounding the deviation of these distributions 
to equiprobability; this is just what is necessary in the DES case, as the two 
possible deviations to equiprobability are just symmetric. That is why we obtain 
the exact result in this case. 

The other calculations are also subject to some approximations. We conside- 
red that the 2" coordinates of the m vector are gaussian independant random 
variables; they are not, in fact, independant, as their sum is M. If 2" is suffi- 
ciently big, this will not be a problem. In the DES case, n = 8, so we neglect this 
effect. The rrii values follow binomial distributions, which can be approximated 
by a gaussian distribution if M is big enough, using the central limit theorem. 
Considering the precision needed, any M above 1000 will do it (and indeed M 
is largely above 1000). We also assume that the final distribution is close to the 
equiprobable one, which is desirable anyway in any symetric cipher scheme. 

6 Conclusion and Open Problems 

We described a method to calculate a minimal bound for the Davies and Mur- 
phy attack against a Feistel scheme. In order to apply it efficiently to a given 
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scheme, one must first identify the patterns of bits in the output of the con- 
fusion function, whose possible values are not equidistributed. Once identified, 
their output distribution must then be calculated precisely, which may not be 
easy, depending on the scheme. 
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A Group Signature Scheme with Improved 

Efficiency 

(Extended Abstract) 



Abstract. The concept of group signatures allows a group member to 
sign messages anonymously on behalf of the group. However, in the case 
of a dispute, the identity of a signature’s originator can be revealed by 
a designated entity. In this paper we propose a new group signature 
scheme that is well suited for large groups, i.e., the length of the group’s 
public key and of signatures do not depend on the size of the group. 
Our solution based on a variation of the RSA problem is more efficient 
than previous ones satisfying these requirements. 

Keywords. Group signature scheme for large groups, digital signature 
schemes, revocable anonymity. 



1 Introduction 

In 1991 Chaum and van Heyst put forth the concept of a group signature scheme 
m- Participants are group members, a membership manager, and a revocation 
manageiQ. A group signature scheme allows a group member to sign messages 
anonymously on behalf of the group. More precisely, signatures can be verified 
with respect to a single public key of the group and do not reveal the identity of 
the signer. The membership manager is responsible for the system setup and for 
adding group members while the revocation manager has the ability to revoke 
the anonymity of signatures. 

A group signature scheme could for instance be used by an employee of a 
large company to sign documents on behalf of the company. In this scenario, 
it is sufficient for a verifier to know that some representative of the company 
has signed. Moreover, in contrast to when an ordinary signature scheme would 
be used, the verifier does not need to check whether a particular employee is 
allowed to sign contracts on behalf of the company, i.e., he needs only to know 
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a single company’s public key. A further application of group signature schemes 
is electronic cash as was pointed out in m- In this scenario, several banks 
issue coins, but it is impossible for shops to find out which bank issued a coin 
that is obtained from a customer. Hence, the central bank plays the role of the 
membership and the revocation manager and all other banks issuing coins are 
group members. The identification as a group member is another application, 
e.g., in order to get access to a restricted area |2H|. 

Various group signature schemes have been proposed so far. However, in the 
schemes presented in | l/llbllVt-!b| the length of signatures and/or the size of the 
group’s public key depend on the size of the group and thus these schemes are not 
suitable for large groups. Only in the two families of efficient schemes presented 
in |9I1()| (and the blind versions thereof |32]) are the length of signatures and the 
size of the group’s public key independent of the number of group member^ 
The schemes presented in |2H! satisfy the length requirement as well, but these 
are inefficient. 

In this paper we propose a new group signature scheme for which the length 
of signatures and the size of the group’s public key do not depend on the size of 
the group. The security of our scheme relies on a variant of the so-called strong 
RSA-assumption proposed in HES]. Compared to the solutions in mi , our 
scheme is based on a different number-theoretic assumption and is also more 
efficient. 



2 Model and an Approach for Realization 

2.1 Model 

A group signature scheme consists of the following algorithms: 

setup: An interactive setup protocol between the membership manager, the 
group members, and the revocation manager. The public output is the 
group’s public key Y . The private outputs are the individual secret keys 
XQ for each group member, the secret key xm for the membership manager, 
and the secret key xu for the revocation manager. 

sign: A signature generation algorithm that on input a message m, an individual 
group member’s secret key xq^ and the group’s public key Y outputs a 
signature a. 

verify: A verification algorithm that on input a message m, a signature a, and 
the group’s public key Y returns 1 if and only if a was generated by any 
group member using sign on input xq, rn, and Y. 

tracing: A tracing algorithm that on input a signature cr, a message m, the 
revocation manager’s secret key xr, and the group’s public key Y returns 
the identity ID of the group member who issued the signature a together 
with an argument arg of this fact. 

vertracing: A tracing-verification algorithm that on input a signature a, a mes- 
sage m, the group’s public key Y, the identity ID of a group member, and 
an argument arg outputs 1 if and only if arg was generated by tracing with 
respect to m, cr, Y , xr. 



^ The other schemes with the same properties were shown to be flawed ISIE3- 
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The following informally stated security requirements must hold: 

Unforgeability of signatures: Only group members are able to sign messages. 
Anonymity of signatures: It is not feasible to find out the group member who 
signed a message without knowing the revocation manager’s secret key. 
Unlinkahility of signatures: It is infeasible to decide whether two signatures have 
been issued by the same group member or not. 

No framing: Even if the membership manager, the revocation manager, and 
some of the group members collude, they cannot sign on behalf of non- 
involved group members. 

Unforgeability of tracing: The revocation manager can not accuse a signer falsely 
of having originated a given signature, e.g., by issuing an argument arg such 
that vertracing outputs 1. 

The efficiency of a group signature scheme can be measured by the size of the 
public key Y , the length of signatures, and by the efficiency of the algorithms 
sign, verify, setup, tracing, and vertracing. 



2.2 Approach of Camenisch and Stadler 

The core idea of the schemes proposed in jPIlU) is the following. A group’s public 
key consists of a membership manager’s public key of an ordinary digital signa- 
ture scheme and a revocation manager’s public key of a probabilistic encryption 
scheme. A user, say Alice, who wants to join the group chooses a random secret 
key XG and computes her membership key z := f{xa), where / is a suitable one- 
way function. Alice commits to t (for instance by signing it) and sends t and 
her commitment to the membership manager M who returns her a membership 
certificate u := sigM(.t). 

To sign a message m on behalf of the group, Alice encrypts z using the 
public key of the revocation manager (let c denote this ciphertext) and issues 
a Signature of Knowledg^ [0| that she knows some values x and u such that 
u = sigM(/(®)) holds and that f{x) is encrypted in c. The verification of such a 
group-signature is done by checking this signature of knowledge. The revocation 
manager can easily revoke the anonymity of a group signature by decrypting c 
and forwarding this value to the membership manager. 

To realize a concrete scheme along these lines, one has to find a suitable one- 
way function / and a suitable signature scheme that yield an efficient signature 
of knowledge for the values x and u. In iniTni . two proposals based on different 
number theoretic assumption were put forth. The first assumption is that, given 
e, g, and an RSA-modulus n, finding integers u, x such that = g^ + 1 (mod n) 
holds is hard, where g is an element of large order. The second one is that it is 
hard to find u and x with |a;| < |n|/2 such that = x^ + v (mod n) given v 
and n, where r; is a suitably chosen integer and n is an RSA-modulus. 

In the next section we will introduce an alternative assumption that allows 
the construction of a new group signature scheme. 

® These are message dependent non-interactive arguments derived from 3-move honest- 
verifier zero-knowledge proofs of knowledge using the Fiat-Shamir heuristic |23I24| . 
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3 Number Theoretic Assumptions 

Recently, Baric and Pfitzmann P as well as Fujisaki and Okamoto pni inde- 
pendently proposed a variation of the well-known RSA m assumption, the 
so-called strong RSA assumption. We will modify this assumption slightly. Let 
k, £g, £i, £2 < £g, and e > 1 be security parameters and, for simplicity, let denote 
£ := e(^2 -I- fc) -I- 1 . Furthermore, let G{£g) denote the set of groups whose order 
has length £g and has two prime factors of length {£g — 2 )/ 2 . Finally, let be 
M{G, z) = {(u,e) I z = M®, M G G, e G { 2 ^L . . . , 2 ^^ -I- 2 ^=}, e G primes}, where 
G G G(£g) and z G G. 

Assumption 1 (Modified strong RSA assumption). For all probabilistic 
polynomial-time algorithms A, all polynomials p{-), all sujjiciently large £g, and 
suitably chosen £1, £2, k, and e 

Pr[z = u^ A eG { 2 ^i- 2 V-- , 2 ^^-h 2 ^'} A e^M : GGRG{£g), 

z Gr G, {U X M) Cfl M{G, z), \M\ = 0{£g), (u, e) := i(G, z)] < ^ . 

Possible choices for G are discussed in Section El Let us remark that, given u, e, 
u, and e with z = u® = u®, it is easy to find an element u satisfying z = ft®® using 
the extended Euclidean algorithm. However, as ee ^ { 2 ^^ — 2 ^, . . . , 2 ^“^ -|- 2 ^} for 
suitable chosen parameter £g, £\, £2, e, and k the integer ee does not satisfy the 
range constraint. According to a result in [Z2I1I1, and as all e’s in M are prime, 
it is infeasible to compute (rt, e') satisfying u'^ = z for an e' that does not divide 
the product of all e’s in M as long as the standard RSA assumption holds. Hence 
there is no further attack except the one mentioned above. 

Our group signature scheme further relies on the so-called Decision Difhe- 
Hellman (DDH) assumption. Let G G G{£g)^ n' be the divisor of G’s order of 
length £g — 2 , and define the two sets 

vn := {(51,^1,52,2/2) G G^ I ord(5i) = ord(52) = n' , logg^ 51 = log^^ 52} 

Q ■= {(51,51,52,52) e G'* I ord(5i) = ord( 52 ) = n'j 
of Difhe-Hellman and random 4 -tuples, respectively. 

Assumption 2 (Decision Diffie-Hellman assumption). For all probabili- 
stic polynomial-time algorithms A : G"^ — )> { 0 , 1 }, the two probability distributions 

Pr[a=l:T GRVn,a:= A{T)] and Pr[a = 1 : T Gr Q,a := A{T)] 
are computationally indistinguishable. 

We remark that in the case G = Z*, where n is an RSA-modulus, the DDH 
assumption does not hold. The Jacobi-symbol, which can be computed efficiently 
without knowing the factorization of n, leaks information about log^^ y\ and 
logg^52- For instance, if (5i|n) = {g2\n) = {y2\n) = -1 and {yi\n) = 1 , then 
loggi 5i ^ logg^ 52- If G = (5) is defined a subgroup of Z* such that {g\n) = 1 
this problem is overcome. 
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4 Building Blocks 

In this section we introduce the building blocks for our scheme borrowing nota- 
tion from 0. These building blocks are signature schemes derived from statistical 
(honest- verifier) zero-knowledge proofs of knowledge using the Fiat-Shamir heu- 
ristic and are therefore called “Signature based on a proof of knowledge” , 

SPK for short. Usually, the security of such building blocks is argued by showing 
that the underlying interactive protocols is secure and then by assuming that 
“nothing bad happens” when the verifier is replaced with a collision resistant 
hash- function. This approach has been formalized as the random oracle model 
(e.g., see PEZlfl- For the signer/prover security means that the protocol should 
be zero-knowledge and for the verifier it means that the protocol should be a 
proof of knowledge. An example of this method is the Schnorr signature scheme 
m that is derived from an honest-verifier proof of knowledge of the discrete 
logarithm of the signer’s public key. 

In the following we describe four building blocks. The first one shows the 
knowledge of a discrete logarithm, the second the equality of two discrete loga- 
rithms, the third the knowledge of one out of two discrete logarithm, and the 
fourth the knowledge of a discrete logarithm that lies in a certain interval. Of 
course, these building blocks can be combined in the usual way (e.g., see EDI). 
The building blocks have in common that the prover does not know the order of 
G, i.e., the verifier chooses a group G = (g) of large order such that only he can 
know the order. However, the order of magnitude of the group’s order shall 
be known to both. Furthermore, the verifier chooses a second generator h and 
proves that g and h have order p'q' , where p' and q' are two primes of length 
{^g — 2)/2 and that he does not know logg h. How this can be done is discussed 
in the next section. Since the group order is not publicly known, we define the 
discrete logarithm of an y G G to the base g to be any integer x such that y = g^ 
holds. Finally, we assume a collision resistant hash function TL : {0, 1}* — )► {0, 1}^ 
(e.g., k fv 160). 

Before we define the building blocks let us explain the notation with the 
following example P|: a signature based on a proof of knowledge, denoted 

SKP{{a,P): y = 5 “ A z = //i“}(m), 

is used for ‘proving’ the knowledge of the discrete logarithm of y to the base g 
and of a representation of z to the bases g and h, and in addition, that the /i-part 
of this representation equals the discrete logarithm of y to the base g. This is 
equivalent to the knowledge of a pair (a, /3) satisfying the equations on the right 
side of the colon. In the sequel, we use the convention that Greek letters denote 
the elements whose knowledge is proven and all other letters denote elements 
that are known to the verifier. 



Recently, it has be shown that this approach does not work for general protocols 
m, i-e., there exist protocols (although specially designed ones) which are secure in 
the random oracle model but that yield an insecure signature scheme. However, it 
is believed that the approach is still valid for the kind of protocols considered here. 
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4.1 Showing the Knowledge of a Discrete Logarithm 

This protocol is an adaption of the protocols for proving the knowledge of a 
discrete logarithm |T^ to the setting with a group of unknown order due 
to Girault VMm . A consequence of this setting is that the usual knowledge 
extractor for showing that a protocol is a proof of knowledge does not work; 
since the knowledge extractor does not know the group’s order either and hence 
cannot compute inverses modulo this group order and therefore not extract the 
witness. Poupard and Stern m give a security proof for this adaption in a 
weaker security model, i.e., they show that if an attacker was able to carry out 
the protocol for almost all public keys, then he could also compute the discrete 
logarithm of the prover’s public key. Since the latter is assumed to be impossible 
the protocol is concluded to be secure. 

In the following we propose an alternative security proof using the model of 
Fujisaki and Okamoto [23|. In this model, the key setup is made a part of the 
protocol, i.e., the verifier chooses the group G and all other parameters and sends 
these as a first step to the prover. As a consequence, the knowledge extractor is 
allowed to choose the group and hence knows the group order. When turning this 
protocol into a signature scheme, the first steps, i.e., the key setup, are carried 
out interactively, and only the last three half-rounds are made non-interactive 
using the Fiat-Shamir heuristic. 

Definition 1. Let e > 1 be a security parameter. A pair (c, s) £ {0, 1}^ x 
{—2^9+^, . . . j satisfying c = 'H{g\\y\\g^y‘^\\m) is a signature of a message 

m £ {0, 1}* with respect to y and is denoted SPK{{a) : y = g°‘}{m). 

An entity knowing the secret key x = logg y of its public key y can compute such 
a signature (s, c) = SPK{{a) : y = g°"}{m) of a message m £ {0, 1}* by 

— choosing r Gr {0, l|'^(^9+'=) and computing t := q’’, 

-c:=nl\\ym\m),L 

— s := r — cx (in Z). 

Showing that the interactive protocol corresponding to this signature scheme 
and the key setup is a proof of knowledge of the integer x := logg y is straight 
forward. The proof that it is honest-verifier statistical zero-knowledge for any 
e > 1 is immediate from the proofs found in for similar protocols. In mu 

it is analyzed how much information (t, c, s) gives about x depending on the 
choice of e. 



4.2 Showing the Equality of two Discrete Logarithms 

The next SPK is an adoption of a protocol for showing the equality of two 
discrete logarithms given in HS| to the setting in which the order is unknown. 

Definition 2. Let e > 1 be a security parameter. A pair (c, s) £ {0, 1}^ x 
{—2^9+^,... ,2'’(^9+fe)} satisfying c = 'H{g\\h\\yi\\y 2 \\y'ig’^\\y 2 h’^\\m) is a signature 
of a message m £ {0, 1}* with respect to yi and y 2 and is denoted 



5PK{(a) A y2 = h^}{m). 
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Let X S {0, 1}^9 be the secret key of the signer such that y\ = and ?/2 = 
holds. Then a signature SPK{{a) ■ yi = g°‘ f\y 2 = of a message m G 

{0, 1}* can be computed as follows. 

— Choose r G_r {0, and compute ti := g'^, t 2 '■= h'", 

— c := 'H(g||/i||?/i||?/2||ti||t2||TO), and 

— s := r — cx (in Z). 

The security proofs of this building block follow from the ones of the previous 
building block. 



4.3 Showing the Knowledge of One out of Two Discrete Logarithms 

The realization of the following SPK of one out of two discrete logarithms is an 
adoption of a protocol given in l_20j to the setting with unknown order. 

Definition 3. Let e > 1 be a security parameter. A tuple (ci, C 2 , Si, S 2 ) G 
{0,1}'= X {0,1}'= X {-2^9+'=,... ,2'=(^9+C} X {-2^9+fc,... satisfying 

ci©C2 = ’H(g||/i||?/i||?/2||2/i^5*Mlj/?^*^ll’^) ® signature of a message m G {0, 1}* 

with respect to y\ and y 2 and is denoted 

SPK{{a,(3)-.y^=g^yy2 = h^}{m). 

Assume that the signer knows x G_r {0, 1}^9 such that yi = g^ holds. Then a 
signature SPK{{a, f3) : yi = V j/2 = h^}{m) of a message m G {0, 1}* can be 
computed as follows. 

- Choose ri Gr {0, 1}^^^9+'=)^ r 2 Gr {0, l}'^^^9+fc)^ q 2 Gr {0,1}'= and compute 

- Cl := C2®H{g\\h\\yi\\y2\\ti\\t2\\m), 

- si := ri — cix (in Z), and S2 := C2. 

The security proofs of this building block follow from the ones of the previous 
building blocks and from m- 

4.4 Showing that a Discrete Logarithm Lies in an Interval 

The last building block is based on a proof that the secret the prover knows lies 
in a given interval. It is related to a protocol presented by Chan et al. m 

Definition 4. Let e > 1 be a security parameter and let < Ig and £2 de- 
note lengths. A pair (c,s) G {0,1}'= x {— 2^^+'=, . . . ^2'^(^^+'=)} satisfying c = 
'H{g\\y\\g“~‘^^ y^Wm) is a signature of a message m G {0,1}* with respect to 
y and is denoted 

SPK{{a): y = g°^ A (2^^ - 2"(^^+'=)+i < a < 2^^ + 2"(^=^+'=)+i)}(m). 

Such a signature of a message m G {0, 1}* with respect to a public key y G G 
can be computed as follows if an a: G {2^L . . . , 2^^ + 2^^ — 1} is known such that 
y = g^ holds: 
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— choose r €r { 0 , compute t := g'", 

— c:= 'H{g\\y\\t\\m), and 

— s := r — c{x — 2 ^ 1 ) (in Z). 

Theorem 1 . The interactive protocol corresponding to the signature scheme of 
Definition^and the key setup is a statistical honest-verifier zero-knowledge proof 
of knowledge of an x € { 2 ^^ — ... , 2 ^^ + such that y = g^ 

holds. 

Proof (Sketch). The proof that the protocol is statistical honest- verifier zero- 
knowledge is as before. 

Let us consider the proof-of-knowledge part. Extracting the x such that g^ = 
y is as usual. It remains to show that the extracted x lies indeed in the required 
interval. Let (t,Ci,Si) be the accepting triples that the knowledge extractor got 
and used to compute x. Then we have yCi^si-ci2 i _ yC2gS2-c22 i ^ -^^here Ci ^ c^. 
Without loss of generality, we can assume that ci > ci. Let denote As := 
Si — S2 and Ac := C2 — ci. Then (a; — 2 ^^)Z\c = As (mod ord(<7)) holds. As 
Ac € {I,-- - , 2 *^ — 1 } and As € {— ^ we have (x — 

2 ^^)Ac G {-2"(^2+fe)+i^ _ ^2^{i-2+k)+i^ _l_ j . ord(g) and thus also {x - 2 ^i) G 
|_2e(^2+fc)+i^ . . . ^ 2*^(^2+fe)+i| _|_ j . ord(5) for some integer j. From this it follows 
that X (mod ord(g)) G { 2 ^i _2d^2+fe)+i^ _ ^ _l_2£(^2+fe)+i|^ jg assumed 

to be infeasible for the prover to compute the order of g, the integer x must in 
fact lie in { 2 ^i - ... , 2 ^^ + 2d^2+fc)+i} |22j). □ 

Note that e(^2 -\- k) -\- 2 < log (ord(g)) ~ £g should hold in order to indeed restrict 
the size of log^ y. 

5 Proposed Scheme 

In this section we propose a realization of a group signature scheme the security 
of which is based on Assumptions E and El The basic idea of the scheme is 
the following. The membership manager chooses a group G = (g) and a group 
element z such that both assumptions hold. Furthermore, he chooses a second 
generators h such that log^ h is unknown. Computing discrete logs in G to the 
bases g, h, or z must be infeasible. Finally, computing roots in G must be feasible 
only to the membership manager, i.e., he is the only one who should know the 
order of G. The revocation manager chooses his secret key x and publishes 

Each group member chooses a prime e randomly in a certain range together 
with the membership manager. Only the group member learns e and stores it 
as a secret key. A membership certificate issued by the membership manager 
is an element u G G such that = z holds. Here we slightly deviate from 
the approach of Camenisch and Stadler, i.e., the membership certificate and the 
membership key are the same value. As a consequence, the issuing of certificates 
must be realized in a way that the membership manager is not able to learn the 
group member’s secret key e. 

A signature of a message m by a group member consists of a triple (a, b, d) G 
G^ and an SPK of integers u and e such that 
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— M is encrypted in (a, b) of under the revocation manager’s public key (which 
is part of the group public key) 

— d commits to e, 

— e lies in a given range, and 

— = z holds. 

The membership manager can reveal the identity of a signer by asking the revo- 
cation manager to decrypt (a, 6). 

The following paragraphs describe the new scheme in detail and provide 
security and efficiency analyses. 



5.1 Setup of the Scheme 

The setup procedure of our scheme consists of two phases. In the first phase the 
membership manager and the revocation manager construct the group’s public 
key and choose their secret keys. This is described in this subsection. In the 
second phase of the setup, the group members choose their membership secret 
keys and get their membership certificates. This phase is described in the next 
subsection. 

The membership manager chooses a group G = {g) and two random elements 
z,h G G with the same large order (r^ 2^») such that Assumptions [Hand El hold. 
He publishes z, g, h, G, ig, and a proof that z, g, and h have the same, large 
order of the order of magnitude 2^^. Also, he proves that the order of g, h, and 2 
is not prime and not smooth. The latter would enable the membership manager 
to compute discrete logarithms in G. The membership manager must also proof 
that z and h where chosen at random. The revocation manager chooses his secret 
key X randomly in {0, . . . , 2^» — 1} and publishes y = g^ as his public key. Finally, 
a hash function H : {0, 1}* — >■ {0, 1}^ and security parameters £, fi, £ 2 , and e 
are set. An example for choosing the parameters e, £, ig, t\, and is given in 
Section b.61 

A possible choice of G = (g) is a subgroup of Z* such that {g\n) = 1. In 
this case the membership manager chooses two large random primes p and q 
(~ of form p = 2p' + I and q = 2q' + 1, where p' and q' are primes as 

well, such that p,q ^ I (mod 8) and p ^ q (mod 8) holds. He keeps p and q 
secret and publishes n := pq. For proving that n is of the right form, there is no 
efficient proof system to the best of our knowledge. Thus one has to use general 
zero-knowledge proof techniques (e.g., and a circuit that takes as input 

integers p, q, p' , and q' and outputs 1 if and only if the inputs are primes and if 
n = pq, p = 2p' + 1, and p = 2p' + 1 holds. The size of p and q can be checked by 
the number of input bits for them (they should have at most [0.5 log n] bits). 
This is not very efficient but must be done only once. To verify that an element 
a has the (large) order p'q' in Z* and Jacobi symbol 1, one needs only to test 
whether a ^ 1 (mod n) and gcd(o — 1, n) = 1 holds and provide a proof should 
that a is a quadratic residue modulo n. An alternative choice of G is a suitable 
elliptic curve (e.g., see ED]). 
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5.2 Registration 

To become a group member Alice chooses a random prime e ... ,2^—1} 

such that e ^ 1 (mod 8) and a random number ei Gr {!,... ,2^2 _ X}. She 
computes z := (mod n) and the commitment c = with rej &r {0, 1}^». 

Then she sends z and c to the membership manager. The membership manager 
chooses a random number 62 G_r {1, . . . ,2^^ — 1} and sends it to Alice. Alice 
computes 63 := ei + 62 (mod 2^^) and e := 63 + 2^^ . If e is not a prime satisfying 
e ^ 1 (mod 8) and e ^ e (mod 8) Alice reveals e and e to enable the membership 
manager checking that she hasn’t cheated and they repeat the whole process. 
The success probability per round is roughly l/(£i21n2). 

If e is a prime, Alice computes e ;= ee, commits to e and z (for instance by 
signing them), sends e, z, and their commitments to the membership manager, 
and carries out the interactive protocols corresponding to 

IT := 5PA{(a,/3,7,(5,C) : c = A (-2'=(^=+'=)+i < a < A 

z = z^ A {{cz^^-'^‘''+‘^‘^)/z^ = V , 

with the membership manager (cf. previous section). Furthermore, Alice proves 
that e is the product of two primes (e.g., using the methods described in IM b 
Using the same arguments as for the building blocks in the previous section, it 
can be seen that the protocol corresponding to W convinces the membership 
manager that Alice has formed e and z correctly and that e/log^ z — 2^^ equals 
the sum of 62 and the e\ committed to in c modulo 2^^. 

The membership manager computes u := z^/® and sends u to Alice, who 
checks that z = holds (which is equivalent to z = u®). The membership ma- 
nager stores (u, e, z) together with Alice’s identity and her commitment to e and 
z in a group-member list. Finally, Alice stores the pair (rt, e) as her membership 
key. 

Of course, i, £ 1 , and £2 must be chosen such that e cannot be factored (cf. 
Section ICT) . In particular fy > £1 - (I -I- fi)/4 must hold 



5.3 Signature Generation 



Let us first define a group signature and then show how a group member can 
compute such a signature. 

Definition 5. Let e, £\, and fy be security parameters such that e > 1, £2 < 

£1 < £g, and £2 < k holds. A group-signature sign{xc, {g, h,y, z),m) 

of a message m £ {0,1}* is a tuple (c, si, S2, S3, a, 6, d) £ {0,1}^ x 

|_2^2+fc X |— X {— X 

satisfying 



^. = n{g\\h\\y\\z\\a 



n.si-c2 






Remark. Such a group-signature would be denoted 



SPK{{r],id,^) : z = b^/y^ A 1 = a’*// A a = g^ A d = g^h^ A 

(2^ _2dU+fe)+i < ^ < 2^1 -I 2'"(^"+'')+^)}(m). 
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To sign a message m S { 0 , 1 }* on the group’s behalf, a group member Alice 

- chooses w Gn {0, 1}^®, computes a := , b := uy^, and d := 

- chooses ri Gr { 0 , T2 Gr { 0 , and ra Gr { 0 , 

and computes 

- h b--{llyY\ h := h ■= h := 

- c := -H(g||/i||?/||z||a||6||d||ti||t2p3p4||m), 

- Si := ri — c(e — 2 ^^) (in Z), S2 := T2 — cew (in Z), and S3 := — cw (in Z). 

The resulting signature of m is (c, si, S2, S3, a, b, d). It can easily be verified that 
it satisfies the verification condition given in Definition El 

5.4 Verifying Signatures, Tracing, and Verifying Tracing 

A signature (c, si, S2, S3, a, 6, d) of a message in can be verified by checking the 
equation stated in Definition 0 

To reveal the originator of a given signature a := {c, 81,32,83, a, b,d) of a 
message m, the revocation manager first checks its correctness. He aborts if 
the signature is not correct. Otherwise he computes u' := b/a^, issues P := 
SPK{{a) : y = 5“ A b/u' = a“}(cr||m) (see Section^ 2 l, and reveals arg := u'\\P. 
He then looks up u' in the group-member list and will find the corresponding u, 
the group member’s identity and his/her commitment to e and z. 

Checking whether the revocation manager correctly revealed the originator 
of a signature a = {c,3i,S2,33,a,b,d) of a message m can simply be done by 
verifying cr and arg. 



5.5 Security Analysis 

Before discussing the security requirements described in Section IQ let us have 
a closer look at the interactive protocol corresponding to the generation of a 
group signature and the parameter setup. 

Theorem 2. The interactive protocol sequentially composed of the parameter 
setup and the protocol corresponding to the generation of a group signature is 
a zero-knowledge proof of knowledge of a membership key and certificate. Furt- 
hermore, the pair (a,b) encrypts the certificate under the revocation manager’s 
public key y. 

Proof (Sketch). Using the standard techniques (cf. Sectional, this protocol can 
be shown to be a statistical zero-knowledge proof of knowledge of values Xi, X2, 
and X3 such that 

xi G { 2^1 - ... , 2 ^ 1 - 1 - 

2 = p- , ^ a = g’”’> , and d = g’^^h’^^ 

holds. From the second and third equations we can conclude that = g^^xi 
and thus also holds. Therefore, we have 

Z yX2 (yXjJrri V y*3 / 



A Group Signature Scheme with Improved Efficiency 171 



and hence (xi,^) is a valid membership key-pair. The triple (a,b,d) is an 
unconditionally binding commitment to these two values and hence the group 
member/prover must have knowrj^them when she computed a, h, and d. Since it 
is assumed that the group member cannot compute roots nor discrete logarithms 
(as otherwise Assumption D would not hold), she must have had other means to 
get such a pair, i.e., by having run the registration protocol with the membership 
manager. 

Finally, the commitments can be opened by the entities knowing log^ y and 
loggh, respectively, i.e., the values are encrypted for these entities. We recall, 
that the first discrete log was chosen be the revocation manager, while the second 
is assumed to be unknown. □ 

Let us now informally discuss the security properties of the proposed group 
signature scheme. 

Unforgeability of Signatures: This is due to Theorem |21 

Anonymity of Signatures: It can be shown that the values c, si, S2, and S3 
do not reveal any useful knowledge. Hence, deciding whether a signature 
(c, Si, S2, S3, a, 6, d) originates from a group member with public key u' re- 
quires to decide whether log^ a = logy^. If one was able to decide this 
efficiently, this would violate Assumption 0 
Unlinkability of Signatures: Linking two signatures, i.e., deciding whether two 
signatures (c, Si, S2, S3, a, 6, d) and (c', s(^, S2, Sg, o', d') originate from the 

same group member requires to decide whether log^ ^ = logy^ = logh^, as 
c, si,S2,S3 and c',Sg,S2,S3 do not reveal useful knowledge. Under Assump- 
tion |2| this is infeasible and hence signatures are unlinkable. 

No Framing: Given Theorem 0 signing in the name of a group member with 
certificate u and requires the computation of log^j 2: or to factor the value 
e that the membership manager received from the group member during 
registration. Both is assumed to be infeasible. 

Unforgeability of Tracing: The pair (a, b) that is part of a signature is an El- 
Gamal encryption of the signer’s membership key under the revocation 
manager’s public key y. Theorem |2| shows that 6/(y'°Ss“) = bfa^ is a valid 
membership public key. Due to Assumption 0 this must be the membership 
certificate of the group member who signed. Therefore, by decrypting (a, b) 
the revocation manager can reveal the originator of a signature at hand. 
In the tracing algorithm the revocation manager issues an SPK denoted arg 
which shows that he decrypted the membership public key correctly. Forging 
this SPK is infeasible under Assumption 0 



5.6 Efficiency Analysis 

With e = 9/8,£g = 1 = 1200, £1 = 860, £2 = 600, and k = 160, the signature 
generation and verification need little less than IS'OOO modular multiplications 
modulo a 1200-bit modulus in average, and the signature is about 1 KBytes long. 
Gompared to the most efficient scheme given in 0, our scheme is about three 

® This is important, since the knowledge-extractor knows the order, he can always find 
a random e and u such that z = u‘^. 
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times more efficient and signatures are about three times shorter when choosing 
the same modulus for both schemes. Signatures could made shorter without com- 
promising the security of the scheme if the parameter w in the signing procedure 
is chosen from a smaller domain, e.g., {0, 1}^^ instead of {0, 1}^». 

6 Conclusion 

It is worthwhile noting that it is possible to realize blind group signatures using 
the techniques given in which are much more efficient than the blind 

versions of given in m- Splitting the membership and/or the revocation 

manager can be done by applying the techniques of respectively (see also 

HH). As the signature generation algorithm was derived from an interactive pro- 
tocol, a group identification scheme (also called identity escrow |EH)) is obtained 
by using this protocol for identification. 
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Abstract. A digital signatnre scheme is one of essential cryptographic 
primitives for secure transactions over open networks. Korean crypto- 
graphic community, in association with government-supported agencies, 
has made a continuous effort over past three years to develop our own 
signature standard. The outcome of this long effort is the signature algo- 
rithm called KCDSA, which is now at the final stage of standardization 
process and will be published as one of KICS (Korean Information and 
Communication Standards). This paper describes the proposed signature 
algorithm and discusses its security and efficiency aspects. 



1 Introduction 

The digital signature technique, a technique for signing and verifying digital 
documents in an unforgeable way, is essential for secure transactions over open 
networks. Digital signatures can be used in a variety of applications to ensure the 
integrity of data exchanged or stored and to prove to the recipient the originator’s 
identity. 

A group of Korean cryptographers, in association with government-supported 
agencies, has been developing a candidate algorithm for Korean digital signature 
standard, which is named KCDSA temporarily (standing for Korean Certificate- 
based Digital Signature Algorithm). As a result of such effort over three years, 
a final algorithm has been established and is now being standardized by the 
Korean Government. This signature algorithm, once standardized, is hopefully 
to be widely supported in commercial security products by Korean industries and 
possibly by the Government. In addition, a standard hash algorithm, developed 
for use with KCDSA, is also under standardization process. 

* KCDSA was developed by a task force team consisting of Sang Jae Moon (Kyung 
Pook Univ.), Dong Ho Won (Sung Gyun Kwan Univ.), Sung Jun Park (KISA), 
Chung Ryong Jang (Kyung Dong Univ.), Shin Gak Kang (ETRI), Eun Jeong Lee 
(POSTECH), Sang Bae Park (IDIS), Chul Kim (Kwang Woon Univ.), Kyung Seok 
Lee (KIET), Jae Hyun Baek (ADD), Jong Tae Shin (KISA), etc., and the present 
authors, under the financial support of ETRI (Electronics and Telecommunications 
Research Institnte) and KISA (Korea Information Secnrity Agency). 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 175-^^^ 2000. 
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The security of most signature schemes widely used in practice is based on 
two difficult problems: the problem of factoring integers (e.g., RSA m) and the 
problem of finding discrete logarithms over finite fields (e.g., Elgamal (3). The 
RSA scheme is used in many applications as a de facto standard. On the other 
hand, two variants of the Elgamal scheme have been standardized in U.S.A 
as digital signature standard (DSS) and in Russia as GOST 34.10 (see 
m)- KCDSA is also a Elgamal-type signature scheme. There have been a lot 
of discussions on whether our national standard should be either of RSA type 
or of Elgamal type. There also has been some controversy on establishing a new 
standard other than the widely used schemes such as RSA and DSA. Putting 
aside the behind story, we concluded to design our own signature scheme and 
KCDSA is the outcome. KCDSA is designed by incorporating several features 
from the recent cryptographic research and thus is believed to be secure and 
robust . 

In this paper we describe the proposed standard for KCDSA and discuss 
security and efficiency aspects considered during the design process. Throughout 
this paper we will use the following symbols and notation: 

— a (B b : exclusive-or of two bit strings a and b. 

— a II 6 : concatenation of two bit strings a and b. 

— Z„ = {0, 1, • • • , n — 1} and Z* = {a;|l < a: < n — 1 & gcd(a;, n) = 1}. 

— |A| denotes the bit-length of A for integer A and the cardinality of A for set 

A. 

— k Gr S denote that k is chosen at random over the set S. 

This paper is organized as follows. We describe KCDSA parameters in Section 
2 and the detailed signature algorithm in Section 3. The security and efficiency 
aspects of KCDSA are discussed in Sections 4 and 5, respectively. In Section 6 
we briefly describe an elliptic curve variant of KCDSA and finally we conclude 
in Section 7. 



2 KCDSA Parameters 

KCDSA parameters can be divided into domain parameters and user parameters. 
By domain we mean a group of users who shares the same public parameters 
(domain parameters) . Domain may consist of a single user if the user uses its own 
public parameters. User parameters denote parameters which are specific to each 
user and cannot be shared with others. These parameters must be established 
before normal use of digital signatures by some trusted authorities and/or by 
users. KCDSA makes use of the following domain and user parameters (see 
Appendix for a procedure that can be used to generate domain parameters): 

Domain Parameters: p, q, g such that 

— p : a large prime such that Lp = |p| = 512 -|- 256z for z = 0, 1, • • • , 6. That is, 
the bit-length of p can vary from 512 bits to 2048 bits with increment by a 
multiple of 256 bits. 
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~ q : a prime factor of p — 1 such that Lq = |g| = 128 + 32j for j = 0, 1, • • • , 4. 
That is, the bit-length of q can vary from 128 bits to 256 bits with increment 
by a multiple of 32 bits. Further, it is required that (p — l)/2q should be a 
prime or at least all its prime factors should be greater than qjj 

— p : a base element of order q mod p, i.e., p yf 1 and p'^ = 1 mod p. 

User Parameters: x, p, z such that 

— X : signer’s private signature key such that x Gr Zg. 

— y : signer’s public verification key computed by p = p’’’ mod p, where x~^ 
denotes the multiplicative inverse of x mod 

— z : a hash- value of Cert^Data, i.e., z = h(Cert-Data). Here Cert-Data 
denotes the signer’s certification data, which should contain at least Signer’s 
distinguished identifier, public key Y and the domain parameters {p, p,p}. 

KCDSA is a signature algorithm in which the public key is validated by means 
of a certificate issued by some trusted authority. The X.509-based certificate may 
be used for this purpose. In this case, the Cert_Data can be simply the formatted 
certification data defined by X.509. 

KCDSA also requires a collision-resistant hash function which produces Lg- 
bit outputs. Since q can vary in size from 128 bits to 256 bits with increment by 
a multiple of 32 bits, we need a family of hash functions or a hash function which 
can produce variable length outputs up to 256 bits. Currently standardization 
is being processed for a hash algorithm with 160-bit outputs called HAS- 160. 
Hash functions for the other sizes of q are left as a future work. 

3 The Signature Algorithm 

3.1 Signature Generation 

The signer can generate a signature {r||s} for a message m as follows: 

1. randomly picks an integer k in Z* and computes w = mod p, 

2. computes the first part r of the signature as r = h(w), 

3. computes e = r © h{z\\m) mod q, and 

4. computes the second part s of the signature as s = x{k — e) mod q. 

^ This restriction on the size of prime factors of (p — l)/2q is to take precautions 
against possible attacks using small order subgroups of ZJ in various applications of 
KCDSA (see [H| for details). 

^ Notice that there is essentially no difference in the signature algorithm if the secret- 
public key pair is represented by {x~^ mod q,y = mod p}. We simply adopted the 
above notation to clarify (to the public unaware of cryptography) that we only need 
X for a signing purpose. This kind of key pair may be undesirable if the same key is 
to be used for other purposes as well (e.g., key exchange or entity authentication). 
However, it is a common practice in cryptographic protocol designs that the same 
key should not be used for different purposes. 
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The computation of w is the most time-consuming operation in the signing 
process. However, since the first two steps can be performed independent of a 
specific message to be signed, we may precompute and securely store the pair 
{r, k} for fast on-line signature generation. The above signing process can be 
described in brief by the following two equations: 

r = h{g^ mod p) with k Gr Z*, 
s = x{k — r © h{z\\m)) mod q. 



3.2 Signature Verification 

On receiving {m||r||s}, the verifier can check the validity of the signature as 
follows: 

1. first checks the validity of the signer’s certificate, extracts the signer’s cer- 
tification data Cert-Data from the certificate and computes the hash value 
z = h{Cert-Data)^ 

2. checks the size of r and s : 0 < r < 0 < s < g, 

3. computes e = r © h{z\\m) mod q, 

4. computes w' = mod p and 

5. finally checks that r = h{w'). 

The pair {r||s} is a valid signature for m only if all the checks succeed. The 
above verifying process can be described in brief by the following equations: 

e = r © h{z\\m), 
r = mod p) ? 

For comparison, we summarized three signature standards, DSA, GOST and 
KCDSA, in Table El 

4 Security Considerations 

4.1 Security Proof under Random Oracle Model 

Recently two variants of ElGamal-like signature schemes have been proven secure 
against adaptive attacks for existential forgery under the random oracle model 
0, where the hash function is replaced with an oracle producing a random value 
for each new query. In the first variant, h{m) is replaced with h(rn\\r) as in the 
Schnorr signature scheme. This variant was proven secure by Pointcheval and 
Stern US] at Eurocrypt’96. The other variant is due to Brickell Pj at Grypto’96, 

^ Note that a certificate corresponds to a trusted authority’s signature for the for- 
matted data containing all information required to bind the public key and related 
parameters/attributes to the key owner’s identity. Therefore, the computation of 2 : 
can be in fact part of the certificate validation process by taking Cert-Data as the 
formatted data to be signed. 
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Table 1. Comparison of DSA, GOST and KCDSA 



where he claimed that the variant of DSA with r = {g^ mod p) mod q replaced 
by r = h{g^ mod p) is also secure in the random oracle model (see PI for its 
proof by Pointcheval and Vaudenay) . We followed the latter approach to ensure 
the security of the overall design of KCDSA. From the proof under the random 
oracle model we can be assured that KCDSA will be secure provided that the 
hash function used has no weakness. 



4.2 Security against Parameter Manipulation 

There have been published a lot of weaknesses in the design of discrete log- 
based schemes due to the use of unsafe parameters (later shown insecure) (e.g., 
see !12t^lill8l8|). Note that generating public parameters at random so that 
they do not have any specific structure is very important for security, even with 
a provably secure scheme (compare the results from |2| and US]. see also (HI)- 
KCDSA is designed to be secure against all these potential weaknesses. The 
(proposed) standard recommend to use the strongest form of primes |S|, i.e., 
primes p, q such that (p — l)/2q is also a prime or at least its prime factors are 
all greater than q. It also specifies a procedure that can be used for generation 
of such primes (see Appendix A). The certificate produced by this procedure 
can be used to verify proper generation of the parameters. Considering current 
algorithms and technology for finding discrete logarithms (see recom- 

mend to use a modulus p of size 1024 bits and an auxiliary prime q of 160 bits 
for moderate security in most applications. 
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The use of the parameter z = h{Cert_Data) as a prefix message for hashing 
provides several advantages without much increase of computational/operational 
overheads 0 

It effectively prevents possible manipulations during parameter generation, 
such as hidden collisions in DSS HHI, since Cert-Data contains p,q,g and y. 
In addition, the use of z restricts the collision search in the hash function to 
a specific signer, since each signer uses his/her own prefix z to produce a hash 
code for his/her message. To see its usefulness, suppose that in the case of using 
the usual hash code h{m) a collision is found for a specific pair of messages. Also 
suppose that one message out of the pair is a comfortable message that anyone 
can sign without reluctance. Then the collision can be used to any user to claim 
that the signature is for the harmful message. Realization of this scenario may 
be catastrophic, for example, if there exists some powerful organization willing 
to invest a huge amount of money to find collisions (the organization might find 
some unpublished weakness in the hash function which can substantially reduce 
the time for exhaustive search). Our new hash mode with a user-specific prefix 
can effectively thwart such a trial of total forgery unless a serious weakness is 
found for the hash function. 



5 Efficiency Considerations 

KCDSA is designed to avoid the evaluation of multiplicative inverses in normal 
use. It is only needed at the time of key pair generation. For comparison, in DSA 
a multiplicative inverse mod q needs to be evaluated each time a signature is 
generated or verified and in GOST each time a signature is verified (see Table 
Evaluating an inverse mod q would take very little portion in the overall 
workload of signing/ verifying on most general purpose computers. However, it 
may be quite expensive in a limited computing environment such as smart cards 
(see 1^ for various comments on DSS including debates on the use of inverse). 
On the other hand, KCDSA needs one more call for a hash function to digest a 
message of length \p\ during both the signature generation and the verification 
process. This will not cost much in any environment. 

We have implemented various signature schemes in the C language with 
inline assembly and measured their timings on 90 MHz Pentium and 200 
MHz Pentium Pro. The result is shown in Table tfl As can be expected, KCDSA 
and DSA show almost the same performance figures, but GOST runs about 
63 % (~ i||) slower than KCDSA/DSA since it uses a 256-bit prime q. For 
comparison, we also measured the speed of RSA for the same size of modulus. 

In the present standard the hashed cert, data z is used as part of message (i.e., z||m 
is treated as a message to be signed). However, it may be more desirable to separate 
z from the message to be signed. For example, we may use z itself as a user-specific 
IV or complete z into one block by zero-padding and use h{z\\pad) as a user-specific 
IV. These variants will be further discussed in the next revision. 

® We used SHA-1 for hashing with a very short message in all the signature schemes. 
Multiplicative inverses were computed using an extended Euclidean algorithm. 
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Note that signature generation can be substantially speeded up in both RSA and 
ElGamal-type schemes: We can use the Chinese Remainder Theorem to speed 
up RSA signature generation and the precomputation technique Q to speed up 
signature generation in ElGamal-type schemes. These performance figures are 
also shown after in Sign columns. The table shows that KCDSA/DSA can 
sign about 6 to 10 times faster than RSA, while RSA can verify about 12 to 13 
times faster than KCDSA/DSA (RSA verification key: e = 2^® -|- 1). 







Pentium/90 


Pentium Pro/200 


Algorithm 


Lang. 


Sign 


Verify 


Sign 


Verify 


DSA 

{\q\ = 160) 


C 


289 / 57.8° 


359 


95.0 / 18.9 


117 


D 


148 /29.8 


182 


47.3 /9.7 


58.0 


A 


64.0 /13.7 


79.1 


17.5 /3.9 


21.7 


GOST 
(|g| = 256) 


C 


457 / 87.8 


559 


147 / 28.0 


181 


D 


236 /44.3 


287 


73.4 /14.0 


92.3 


A 


105 /19.1 


125 


27.2 /5.2 


35.3 


KCDSA 
i\q\ = 160) 


C 


287 / 56.2 


359 


93.3 / 18.0 


116 


D 


145 /28.0 


185 


46.4 /9.0 


57.4 


A 


62.8 /12.4 


77.7 


17.0 /3.3 


20.9 


RSA 

(e = 2i® -t 1) 


C 


1730 / 502* 


25.8 


568 / 163 


8.6 


D 


878 / 254 


15.8 


279 / 83.5 


5.3 


A 


378 / 114 


6.0 


103 / 33.1 


1.7 



Notes : 

C = C only, 

D = C with double digit option (__int64) provided by MSVC, 

A = C with partial inline assembly. 

* used CRT for signature generation. 

o used a precomputation table of 32 KBytes (6x4 conhg., see 0). 
Table 2. Speed of various signature schemes for 1024-bit moduli (in msec) 



6 Elliptic Curve KCDSA 

Much attention has been paid to elliptic curve cryptosystems in recent years, 
due to their stronger security and higher speed with smaller key size. An ellip- 
tic curve variant of KCDSA (EC-KCDSA for short) was not considered during 
the standardization process. However, we have recently worked on an alterna- 
tive implementation of KCDSA over elliptic curves and completed a high-level 
specification of EC-KCDSA. The following brief description on EC-KCDSA is 
expected to be included in the next revision or as an addendum. 

Let E be an elliptic curve over a finite field and #(E) be the order of E (the 
total number of points on E). The curve E should be chosen so that #(E) is 



182 



C.H. Lim and P.J. Lee 



divided by a prime q of size Lq bits. Domain parameters consist of the description 
of the elliptic curve E, the prime q and a point G = (gx,gy) over E generating a 
cyclic group of prime order As user parameters, each signer picks at random 
a private signature key x over Z* and computes the corresponding public key 
Y as Y = xG over E, where x = x~^ mod q. The hashed certification data z 
and the hash function h are the same as before. Finally, for simplicity we write 
h{W) for an elliptic curve point W = {wx,Wy) to denote h{wx\\wy). Note here 
that the two coordinates Wx , Wy are treated as bit strings and thus they are 
simply concatenated (without conversion from elliptic curve point to integer) 
and hashed. 

The signing and verifying processes of EC-KCDSA are almost the same as 
those of KCDSA, except for the change of group operations. That is, the under- 
lying group is changed from the multiplicative group of a prime field into the 
additive group of elliptic curve points. The signature for message m consists of 
two integers r, s of size |g| generated by 

r = h{kG) with k Gr Z*, 
s = x{k — r © h{z\\m)) mod q, 

where the computation of r consists of computing W = kG over E and then 
hashing the point W. 

To verify the signature {m||r||s}, a verifier first performs the required checks 
on the certificate and the size of signature components as in KCDSA (see steps 
1 and 2 in Sect. 3. 2). The verifier then recovers the point W using the received 
signature and checks the equality r = h{W) = h{wx\\wy). That is, the verifying 
process can be described in brief by 

e = r © h{z\\m) mod q, 
r = h{sY + eG) ? 

In general, the security of EC-KCDSA will be stronger than KCDSA if both 
use the same size of q. However, more detailed security and efficiency analyses 
should be carried out after complete specification on various parameters. 

7 Conclusion 

We described the proposed digital signature standard for Korean community 
and discussed its security and efficiency. The presented algorithm is now close 
to publication as one of Korean Information and Communication Standards 
and hopefully to be widely used in security products by Korean industries and 
Government. We hope this publication to stimulate further investigation on its 
security and development of various useful applications based on it. 

® According to |H1, the effective key length can be reduced from 1^1 to 2\q\ — \ -^{E)\ bits 
in some applications of signature schemes. Therefore, considering wide applications 
of signature schemes, we strongly recommend that an elliptic curve should be chosen 
so that #{E) has as small prime factors as possible. Ideally, |g| = \^{E)\. 
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A Domain Parameter Generation for KCDSA 

During the KCDSA initialization stage, a trusted authority in each domain have 
to generate and publish p, q, g such that 

~ pis a, prime of specified length such that a prime q of specified length divides 
p — 1 and that all prime factors of {p — l)/2q are greater than q. 

— 5 is a generator of a subgroup of Z* of order q, i.e., g is an element of Zp 
such that g‘1 = 1 mod p and g ^ I- Such a g can be generated by testing 
= 1 mod q with random 1 < g < p. 

As an example, we describe a method for generating primes p, q such that 
(p—l)/2q is also prime. Let PRG{s, n) denote a pseudorandom number generator 
on input s generating an n-bit random number, defined by: 

Vi = h{s + i mod q) for i = 0, 1, • • • , fc — 1, 

Vk = h{s + k mod q) mod 2’", 

PRG{s, n) = Vk II Vk-i II • • • II vq, 

where k = and r = n mod Lq. The procedure for generating p,q (of size 
Lp,Lq, respectively) and g is as follows (see also Figure 

1. choose an arbitrary integer s of at least Lq bits. 

2. initialize five counters: tGount = rGount = 1, pGount = qGount = 
gGount = 0. 

3. form Seed for PRG as: 

W 2 = OccOO II i II j II tGount, 

Wi = rGount || pGount, 

Wo = qGount || gGount || 0x00, 

Seed = s II W 2 || wi || wq, 

where i and j are 8 bit numbers such that Lp = 512+256i and Lq = 128+32j, 
tGount and gGount are 8 bits long, and pGount, qGount and rGount are 
16 bits long. It is assumed that Seed is automatically updated whenever any 
counter is changed. 

4. generate a random number r of length Lp — Lq — 1 bits as follows: 

u = PRG{Seed, Lp-Lq-l), 
r = VuV 1, 

where V denotes bitwise-or. 

5. test r for primality (e.g., using the Miller-Rabin probabilistic primality test 
O page 379]). If r is prime, go to step 8. 

6. increment rGount by I. 

7. If rGount < 2048, go to step 4. Otherwise, go to step I. 
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8. set pCount = 1 and qCount = 1. 

9. generate a random number q of length Lq bits using the updated Seed as 
follows: 

u = PRG{Seed, Lq), 
q = VuV 1. 

10. compute p = 2qr + 1. If \p\ < Lp, go to step 12. 

11. test q for primality. If q is prime, go to step 14. 

12. increment qCount by 1. 

13. If qCount < 1024, go to step 9. Otherwise, go to step 15. 

14. test p for primality. If p is prime, go to step 19. 

15. increment pCount by 1 and set qCount = 1. 

16. If pCount < 4096, go to step 9. 

17. increment tCount by 1. 

18. If tCount < 256, go to step 3. Otherwise, go to step 1. 

19. set gCount = 1. 

20. generate a random number u of length Lp bits using the updated Seed as 
follows: 

u = PRC{Seed, Lp). 

21. compute g = uO-i)/? mod p.li g ^ 1, go to step 24. 

22. increment gCount by 1. 

23. If gCount < 256, go to step 20. Otherwise, go to step 170 

24. terminate with output p, q, g and Seed. 

The Seed output can serve as a certificate for proper generation of the pa- 
rameters p, q and g. Anyone can check that p, q and g are generated as spe- 
cified, since Seed contains all necessary information to verify their proper ge- 
neration. For example, the following parameters (|p| = 1024, |g| = 160) were 
generated using the described algorithm, where we the initial user input s was 
taken as the first 160 bits of the fractional part of tt = 3.14159- • -. ^From the 
seed, we can see that r = {p — l)/2q was found by testing 991 random num- 
bers {rCount = 0x3df = 991) and p was found by testing 1192 primes of q 
{pCount = 0a:77c = 1192) and so on. It is easy to verify that these parameters 
are generated according to the above procedure. 



Seed = 243f6a88 
00020101 
p = a2951279 
1725c3B5 
9f 17fe3B 
97ffblc7 
16a3c871 



85a308D3 13198a2e 
03df077c OOdlOlOO 
6e6cf682 fd9e3348 
3098ceaa 3e6a0241 
8a54f711 820421a0 
5afaaba3 5e356ae8 
al59056c 70722a62 



03707344 a4093822 

24859dfd 93299a22 
d0c30586 61769311 
394218e8 3186641d 
7f83d2f8 d79d031c 
cb89694f 



7d9d6c97 226B9595 
9db2e9bc 2f9cad43 
00373299 08ab8D2f 
d814318f e7865810 



^ The probability of gCount exceeding 255 is negligible {gCount = 1 for almost all 
cases). For completeness, we simply make the control to go back to step 3 in such 
an exceptional case (through steps 17, 18, 3). 
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Abstract. The class of public- key cryptosystems based on error-correc- 
ting codes is one of the few alternatives to the common algorithms based 
on number theory. We here present an attack against these systems which 
actually consists of a new probabilistic algorithm for finding minimum- 
weight words in any large linear code. This new attack notably points 
out that McEliece cipher with its original parameters does not provide 
a sufficient security level. 



1 Introduction 

Since the concept of public-key cryptography appeared in 1977, searching for 
secure public-key cryptosystems and identification schemes has been one of the 
most active areas in the field of cryptology. Many public-key ciphers emerged 
just after the invention of RSA and their underlying problems were as varied 
as computing a discrete logarithm, solving a knapsack problem, inverting some 
polynomial equations over a finite field. . . . But the development of some crypt- 
analysis methods have finally made most of them insecure. Twenty years after 
the fundamental paper of Difhe and Heilman, public-key cryptography has the- 
refore become dangerously dependent on only two problems: integer factoring 
and discrete logarithm. However the class of public-key ciphers and identifica- 
tion schemes based on error-correcting codes still resists cryptanalysis. It relies 
on the hardness of decoding or equivalently of finding a minimum-weight co- 
deword in a large linear code with no visible structure. The most famous of 
these systems are McEliece and Niederreiter ciphers |McE78INie8b| — which 
are equivalent from the security point of view — and the identification sche- 
mes proposed by Stern jSte89j and Veron They are at the moment one 

of the few alternatives to the common public-key algorithms based on number 
theory. Studying their security seems therefore essential in order to anticipate a 
possible important progress in factoring methods for example. Moreover these 
public-key ciphers are particularly interesting since they run much faster than 
any algorithm relying on number theory. 

In this paper we present an attack on these cryptosystems which consists of a 
new probabilistic algorithm for finding minimum-weight codewords in any linear 
code. We first briefly present in Section |3 some public-key cryptosystems based 
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on error-correcting codes. Section 0 then describes a new algorithm for finding 
minimum- weight words in any linear code. Using Markov chain theory we show 
in Section 0 how to compute the number of elementary operations it requires. 
In Section 0 we finally use these results to evaluate the security of these public- 
key cryptosystems. We notably prove that the parameters which were originally 
proposed by McEliece for his cryptosystem make it insecure. 



2 Some Cryptosystems Based on Error-Correcting Codes 

The class of public-key cryptosystems based on the hardness of decoding or 
of finding a minimum-weight word in a large code contains both McEliece and 
Niederreiter ciphers and some zero-knowledge identification schemes like the one 
proposed by Stern. 



2.1 McEliece and Niederreiter Public-Key Ciphers 

McEliece cryptosystem uses as a secret key a linear binary code chosen in a 
family F of [n, /c]-linear codes with error-correcting capability t for which an 
efficient decoding algorithm is known. In his original paper LVIcE78l . McEliece 
proposed to choose this secret code amongst the irreducible binary Goppa codes 
of length 1024, dimension 524 and minimum distance 101. 

— private key: it is composed of an [n, fc]-linear binary code C chosen in the 
family F, a random k x k binary invertible matrix S and a random n x n 
permutation matrix P. 

— public key: it consists of the k x n matrix G' defined by G' = SGP where 
G is a generator matrix of the secret code C. 

— eucryptiou: the ciphertext corresponding to the fc-bit message m is x = 
inG' + e, where e is a random n-bit error-vector of weight t. 

— decryption: the decryption procedure consists in computing xP~^ =mSG+ 
eP~^ and using a fast decoding algorithm for C to recover mS. The message 
is then given by to = {mS)S~^. 

By definition the public key is therefore a generator matrix for an other linear 
code C which is equivalent to C. A ciphertext in McEliece cryptosystem then 
corresponds to a word of the public code C with t corrupted positions. 

Niederreiter proposed a dual version of this system |Nie8fi| where the public- 
key is a parity-check matrix FI' of a code C equivalent to the secret code. A 
plaintext to is here an u-bit vector of weight t and the associated ciphertext x 
corresponds to the syndrome of to relatively to the public code, x = mH". 

McEliece and Niederreiter cryptosystems are actually equivalent from the se- 
curity point of view when set up for corresponding choices of parameters [14)Wfl4'| . 
But for given parameters Niederreiter cipher presents many advantages. First of 
all it allows a public key in systematic form at no cost for security whereas this 



Cryptanalysis of the Original McEliece Cryptosystem 189 



would reveal a part of the plaintext in McEliece system. The public key in Nie- 
derreiter system is then (n — k) jn times smaller than in McEliece version. The 
systematic form of the public matrix H' and the low-weight of vector m signifi- 
cantly reduce the computational cost involved in the encryption in Niederreiter 
system. For [1024, 524, 101]-binary codes its transmission rate, i.e. the number of 
information symbols divided by the number of transmitted symbols, is smaller 
that in McEliece system. Another disadvantage of McEliece system is that it 
is easy to recover the plaintext if it has been encrypted twice with the same 
public-key. On the contrary Niederreiter cipher is deterministic since encrypting 
a given plaintext always leads to the same ciphertext. 

Table Q] sums up the characteristics of these systems when they both use 
[1024,524, 101]-binary codes. It then shows that it is preferable to use the version 
proposed by Niederreiter. 





McEliece 
[1024,524,101] 
binary code 


Niederreiter 
[1024,524,101] 
binary code 


RSA 

1024-bit modulus 
public exponent = 17 


public-key size 


67,072 bytes 


32,750 bytes 


256 bytes 


number of information bits 
transmitted per encryption 


512 


276 


1024 


transmission rate 


51.17 % 


56.81 % 


100 % 


number of binary operations 
performed by the encryption 
per information bit 


514 


50 


2,402 


number of binary operations 
performed by the decryption 
per information bit 


5,140 


7,863 


738,112 



Table 1. Performance of McEliece, Niederreiter and RSA public-key ciphers 



We give for information the values corresponding to the RSA system with 
a 1024-bit modulus n = pq when the public exponent is 17 — we here suppose 
that RSA encryption and decryption uses Karatsuba’s method for large integer 
multiplication. These results point out that these public- key systems run much 
faster than RSA (about 50 times faster for encryption and 100 times faster for 
decryption). Their main disadvantages are the size of the public key and the lack 
of related signature scheme. 

Cryptanalysis Methods There are mainly two guidelines to cryptanalyze 
McEliece cryptosystem : 

— recover the original structure of the secret code from a generator (or parity- 
check) matrix of an equivalent code. 

— decode the public code which has no visible structure. 
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The first class of attacks imposes some conditions on the family of secret codes T. 
For given length, dimension and minimal distance the family F must be large 
enough to avoid any enumeration. This aims at protecting the system from the 
attack which consists in enumerating all the elements of F until a code equivalent 
to the public code is found. This can be performed with an algorithm due to 
Sendrier ISenDBI which is able to determine from two generator matrices whether 
they correspond to equivalent codes and then to recover the permutation. A 
second condition is that a generator or parity-check matrix of a permutation 
equivalent code gives no information about the structure of the secret code, that 
means that the fast decoding algorithm requires some parameters of the secret 
code besides a generator matrix G' . This dismisses many families of codes like 
generalized Reed-Solomon codes |SS92j or concatenated codes fSen94|Sen'^. 

But the family of irreducible Goppa codes is well-suited to such systems 
insofar as at present there exists no algorithm which is able to compute the 
characteristic parameters of a Goppa code from one of its permuted generator 
matrix. This class can even be extended to all [1024,524, 101]-binary Goppa codes 
defined by a monic square-free polynomial of degree 50 in GF{\Q24)\X] which 
has no root in GF(1024). The cardinality of F is then 2'^®®-^. In the case where the 
used family of codes satisfies the above properties, the equivalent code C defined 
by the public key presents no visible structure; recovering a plaintext from the 
corresponding ciphertext then comes down to decoding any linear code. 



2.2 Stern’s Public-Key Identification Scheme 

Stern presented at Grypto’93 a public-key identification scheme which 

relies on the hardness of finding a low- weight codeword of given syndrome. This 
scheme uses an [n, fc] -random linear code over GF{2). All users share a fixed 
parity-check matrix F[ for this code and an integer w slightly below the expected 
value for the minimal distance of a random linear code. Each user receives a 
secret key s which is an n-bit vector of weight w. His public key is then the 
syndrome sF[*. Any user can identify himself to another one by proving he 
knows s without revealing it thanks to an interactive zero-knowledge protocol. 
The minimal parameters proposed by Stern are n = 512, k = 256 and w = 56. 
Veron |Ver95j also proposed a dual version of this scheme similar to McEliece’s 
original approach: it uses a generator matrix of the code instead of a parity-check 
matrix. He then suggested a new choice for the parameters in order to reduce 
the number of transmitted bits: n = 512, k = 120 and w = 114. 

3 A new Algorithm for Finding Low-weight Codewords 

Let C be a linear binary code of length n, dimension k and minimum distance 
d about which nothing is known but a generator matrix. We now develop an 
algorithm for finding a word of weight w in C where w is closed to d. This 
algorithm can also be used for decoding up to the correction capability t = . 

If a message x is composed of a codeword corrupted by an error- vector e of weight 
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w < t, e can be recovered with this algorithm since it is the only minimum-weight 
word in the linear code C (B x. Decoding an [n, fc]-linear code then comes down 
to finding the minimum- weight codeword in an [n, k + l]-code. 

Let N = {1, • • • , n} be the set of all coordinates. For any subset I of N, G = 
(V, W)i denotes the decomposition of matrix G onto I, that means V = (Gi)ig/ 
and W = (Gj)jg 7 v\/i where G^ is the zth column of matrix G. The restriction 
of an n-bit vector x to the coordinate subset I is denoted by x^j = {xi)i^i. As 
usual wt(a;) is the Hamming weight of the binary word x. 



Definition 1. Let I he a k-element subset of N . I is an information set for the 
code C if and only if G = {Idk, Z)j is a systematic generator matrix for C. 



Our algorithm uses a probabilistic heuristic proposed by Stern jSte89| which 
generalizes the well-known information set decoding method. But instead of ex- 
ploring a set of randomly selected systematic generator matrices by performing 
at each iteration a Gaussian elimination on an (n x A:)-matrix as most algorithms 
do lll.B88lLec 



i8irjeo88^ . we choose at each step the new information set by modifying 
only one element of the previous one. This procedure is similar to the one used 
in the simplex method and it was first introduced in j( )m m- If / is an infor- 
mation set and G = {Idk,Z)j the corresponding systematic generator matrix, 
/' = (I \ {A}) U {/r} is still an information set for the code if and only if the 
coefficient equals 1. In this case, the systematic generator matrix associated 
with I' is obtained from the previous one by a simple pivoting procedure which 
only requires k(n — k) /2 binary operations. Using this iterative method then 
leads to the following algorithm: 



Initialization: 

Randomly choose an information set / and apply a Gaussian elimination in 
order to obtain a systematic generator matrix (/dfe, Z)i. 

Until a codeword of weight w will be found: 

1. Randomly split I in two subsets Ii and I 2 where |/i| = [fc/2j and I/ 2 I = 
[fc/2] . The rows of Z are then split in two parts Zi and Z 2 . Randomly select 
a cr-element subset L of the redundant set J = N \ I. 

2. For each linear combination Ai (resp. A 2 ) of p rows of matrix Zi (resp. Z 2 ), 
compute Alii (resp. A 2 |l) and store all these values in a hash table with 
2°' entries. 

3. Using the hash table consider all pairs of linear combinations (^ 1 ,^ 2 ) such 
that Ai|i = A 2 IL and check whether wt((Ai -|- A 2 )|j\l) = w — 2p. 

4. Randomly choose A S / and /r G J such that = 1. Replace I with 
(/ \ {A}) U {p} by updating matrix Z by a pivoting operation. 
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A codeword c of weight w is then exhibited when the selections I, I\ and L 
satisfy 

wt(c|/J = wt(c|/J = p and wt(c|i) = 0 (1) 

Parameters p and cr have to be chosen in order to minimize the running-time of 
the algorithm. 

4 Theoretical Running-Time 

We give here an explicit and computable expression for the work factor of this 
algorithm, i.e. the average number of elementary operations it requires. This 
analysis is essential in particular for finding the values of parameters p and a 
which minimize the running-time of the algorithm. 

4.1 Modelization of the Algorithm by a Markov Chain 

The average number of iterations performed by the algorithm is not the same as 
the one performed by the initial Stern’s algorithm since the successive informa- 
tion sets are not independent anymore. Hence the algorithm must be modelized 
by a discrete-time stochastic process. 

Let c be the codeword of weight w to recover and supp(c) its support. Let 
/ be the information set and Ii, I 2 and L the other selections corresponding 
to the i-th iteration. The i-th iteration can then be represented by a random 
variable which corresponds to the number of non-zero bits of c in I. This 
random variable then takes its values in the set w}. But if this number 

equals 2p we have to distinguish two cases depending of whether condition m 
is satisfied or not. The state space of the stochastic process is therefore 

£ = 2p- l}U{(2p)s,(2p)F}U{2p-k where 

Xi = u iff |I n supp(c)| = Vu G {1, . . . , 2p — 1} U {2p -I- 1, . . . , w} 

Xi = {2p)p iff jl n supp(c)| = 2p and (|Ji n supp(c)| or |L n supp(c)| yf 0) 
Xi = {2p)s iff \h n supp(c)| = 1/2 n supp(c)| = p and \L fl supp(c)| = 0 

The success space is then S = {(2p)s| and the failure space is .7^ = £ \ {(2p)s|. 

Definition 2. A stochastic process is a Markov chain if the probabi- 

lity that it enters a certain state only depends on the last state it occupied. A 
Markov chain {AijjgN is homogeneous if for all states u and v, the conditional 
probability Pr[Xi = vjXi-i = m] does not depend on i. 

Proposition 1. The stochastic process {A^jigN associated with the algorithm 
is an homogeneous Markov chain. 

Proof. The selections I, I\, I 2 and L corresponding to the i-th iteration only 
depend on the previous information window since Ji, I 2 and L are randomly 
chosen. We then have for all i and for all (uq, Ui, - ■ ■ ,Ui) € £, 

Pr^Xi — Ui j Xi— X — Ui— \ , Xi—2 — Ui—2 5 * * * A^q — ^o] — P^^i^Xi — Ui j Xi — \ — lix— l] 
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Furthermore this probability does not depend on the iteration. Hence there exists 
a matrix P such that : 

Vt G N, V(w,n) G Pr[Xi = vjXi^i = u] = Pu,v 

The Markov chain is therefore completely determined by its initial 

probability vector ttq = {Pr[Xo = u])ue£ and its transition matrix P. Both 
of these quantities can be easily determined as two successive information sets 
differ from only one element. 

Proposition 2. The transition matrix P of the homogeneous Markov chain as- 
sociated with the algorithm is given by: 

k — u n — k — {w — u) u w — u 



p = 
u,u ^ 



P^L.U — ^ , X 



n — k 
u n — k — {w — u) 



^ 

k n — k 



for all u ^ {(2p)s, {2p)f} 



P, 



k n — k 

k — u w — u 



for all u 2p -\- 1 



u,u-\-l — 



for all u ^ 2p — 1 



k n — k 
Pu,v = 0 for all V ^ {u — l,u,u 1} 



P(2p)p,(2p)F ~ (i- P) 

P2p-\-l,(2p)F = (1 “ /3) 

P2p-1,(2p)f = (1 “ / 3 ) 
P2p+l,(2p)s = P 

P2p-l,(2p)s = ^ 



k — 2p n — k — {w — 2p) 2p w — 2p 

k n — k k n — k 

2p + 1 ^ n — k — {w — (2p + 1)) 

; X 



P{2p)f,{‘^p)s - P 



n — k 

k — (2p — 1) w — (2p — 1) 
k n — k 

2p+l n — k — {w — {2p + 1)) 
k n — k 

k — (2p — 1) w — {2p — 1) 
k n — k 

k — 2p n — k — (w — 2p) 2p w — 2p 

^ 4 ^ + 4 X f 

k n — k k n — k 



P{2p)s,(2p)s = 1 P( 2 p)s,u = 0 for all u yf {2p)s 



(2p\ ( k-2p \ ,n-k-w+2p\ 

\p)\k/2-p) [ ^ ) 



where P = Pr[Xi = (2p)s / \lnsupp{e)\ = 2p]= 

\k 

(w\ fn—w\ 

\u/ V k—u) 



The initial probability vector ttq is 
7To{u) = 



7!‘o((2p)f) = 

7ro((2p)s) = 



( 2 ) 

(f) 

a) 



L%) 

ifut^ {(2p)jr,(2p)s} 
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The only persistent space of this Markov chain, i.t. a maximal state subset 
which cannot be left once it is entered, exactly corresponds to the success space 
S. Since this subset contains only one state which is an absorbing state, i.e. a 
state which once entered is never left, this chain is by definition an absorbing 
chain. A basic property of absorbing Markov chains with a finite state space is 
that, no matter where the process starts, the probability that the process is in 
an absorbing state after n steps tends to 1 as n tends to infinity. We then deduce 
that our algorithm converges. 



Expected Number of Iterations The absorbing chain property also enables 
us to compute the average number of iterations performed by the algorithm. 

Proposition 3. |KSti()[ //{W}ign a finite absorbing Markov chain with tran- 
sition matrix P , and Q is the sub-stochastic matrix corresponding to transitions 
among the transient states — the non-persistent states — , i.e. Q = {Pu,v)u,v^j^ 
then {Id — Q) has an inverse R called the fundamental matrix of the chain and 

OO 

^ Q™ = {Id-Q)-\ 

m— 0 

The average number of iterations performed by the algorithm can then be 
deduced from this fundamental matrix. 

Theorem 1. The expectation of the number of iterations N required until 
{W}iGN reaches the success state {2p)s is given by: 

E{N) = Mu) Mv 

v^T 

where R is the corresponding fundamental matrix. 

Proof. 



E{N) = nPr[X„ G 5 and X„_i G E] 

n—0 

OO n— 1 

= E E Pr[Xn G S and X^-i G E] 

n—0 m—0 

Applying Fubini’s theorem, we get 

OO OO 

E{N) = E E Pr[Xn G S and Xn-i G E] 

m—0 n—m-\-l 

OO 

= ^ Pr[X^ G E] 

m—0 
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OO 

"" = v / Xo = u] 

m^O 

OO 

u^J- v^J- m—0 u^J- v^J- 



Variance of the Number of Iterations The fundamental matrix also gives 
the variance of the number of iterations, which estimates the deviation from 
the average work factor of the effective computational time required by the 
algorithm. 

Theorem 2. The variance of the number of iterations N required until 
reaches the success state is given by: 



V{N) = ^ ^o(^) ^ ^ I ^ ^ '^o(^)-^u(-^) 

where is the Kronecker symbol and Eu{N) is the average number of iterations 
performed by the process when it starts in state u, i.e. 



Eu(N) = Yi 



Distribution of the Number of Iterations Besides the average number 
of iterations we often want to estimate the probability that the algorithm will 
succeed after a fixed number of iterations. But the approximation given by Tche- 
bychev’s inequality is usually very rough. A much more precise evaluation is ob- 
tained by raising the transition matrix of the Markov chain to the corresponding 
power. We actually have: 

Proposition 4. Let P be the transition matrix of the Markov chain associa- 
ted with the algorithm. If P = L~^AL where A is a diagonal matrix, then the 
probability that the algorithm will succeed after N iterations is given by 



4.2 Average Number of Operations by Iteration 

We now give an explicit expression of the average number of operations perfor- 
med at each iteration. 

1. There are exactly linear combinations of p rows of matrix Zi (resp. 

Z 2 ); computing each of them on a a-bit selection and putting it in the hash 
table requires pa binary additions. 
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2. The average number of pairs {Ai,A 2 ) such that {Ai + A 2 )\l = 0 is equal to 

^ fc / 2\2 

^ . For each of them we perform 2p — 1 additions of {n — k — cr)-bit words 

for computing (Ai + A 2 )\j\l and a weight-checking. 

3. We need + 2'^) more operations to perform the dynamic memory 

allocation where K is the size of a computer word (K=32 or 64) . 

4. The average work factor involved in the pivoting procedure for updating 
matrix Z is \k{n — k) . 

Hence the average number of elementary operations performed at each iteration 
is: 



^p,(T 




-I- 2p{n — k — 




+ K 





k{n — k) 
2 



(2) 



Proposition 5. Suppose that the number of codewords of weight w is Aw The 
overall work factor required by the algorithm is: 



Wp,^ = 



^p.gT(N) 

Aw 



(3) 



where E{N) is given by Theorem^ and by Equation (0. 

Since each term in the previous expression can be explicitly computed, we 
are now able to determine the parameters p and a which minimize the work 
factor required by the algorithm when the size of the code and the weight w 
of the searched codeword are given. Such a theoretical expression of the work 
factor is commonly used to assess the efficiency of an algorithm and to decide 
whether a given problem is computationally feasible. It is also applied to the 
automatic optimization of the parameters. But the sharpest optimization can 
only be performed by replacing in Equation Q the theoretical value of f2p^a- by 
the effective average CPU time of an iteration. 



5 Cryptanalysis of McEliece Cryptosystem 

5.1 Work Factor Versus Probability of Success 

Table 0 gives the optimal parameters and the number of binary operations in- 
volved in an attack of the previous cryptosystems. 

Cryptanalyzing McEliece cipher with its original parameters then requires 
264.2 operations [klCflsj . This new attack is certainly still infeasible but 

it runs 128 times faster than Lee-Brickell’s attack pUSSj . As a comparison 
the cryptanalysis of Stern’s identification scheme using van Tilburg’s algorithm 
has an average number of iterations of 2®^ *^, and an estimated work factor of 
272.9 jv'i'qqj An obvious method for speeding up the cryptanalysis consists in 
distributing the algorithm: using a network of 1000 computers we only need 
operations for breaking McEliece cipher. 
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cryptosystem 


McEliece 


Stern 


Veron 


code 


[1024,524] 


[512,256] 


[512,120] 


w 


50 


56 


114 


optimal parameters 


p = 2, O' = 18 


lO 

II 

b 

II 


p = 2, O' = 13 


average number 


9.85 10“ 


2.16 10“ 


1.74 10“ 


of iterations 


standard deviation of 
the number of iterations 


9.85 10“ 


2.16 10“ 


1.74 10“ 


work factor 


264.2 


269.9 


261.2 



Table 2. Work factor required for cryptanalyzing some public- key systems based on 
error-correcting codes 



But the standard deviation of the number of iterations involved in cryptana- 
lyzing all these systems roughly equals its average. This spread implies that an 
infeasible average work factor is not sufficient to guarantee that these cryptosy- 
stems are secure: it is necessary to estimate the probability that our algorithm 
will be successful after a feasible number of iterations. This can be done by raising 
the transition matrix of the associated Markov chain to the corresponding power 
as described in Proposition ^ We then obtain that the work factor required for 
decoding a [1024,524, 101]-binary code up to its error-correcting capability with 
probability 0.5 only represents 69 % of the average work factor. And if the work 
factor is limited to 2^^, i.e. to 10® iterations, the probability that a message in 
McEliece cipher will be decrypt is 10“"'^. Since 1000 iterations of the optimized 
algorithm are performed in 10 minutes on a workstation DEC alpha at 433 MHz, 
decrypting one message out of 10,000 requires 2 months and 14 days with 10 such 
computers (see Figure QJ. The relatively high proportion of decrypted messages 
in a reasonable time implies that McEliece system with its original parameters 
is not secure as long as the enemy has a few ten fast workstations. A similar 
study shows that the parameters proposed in Stern’s identification scheme make 
it much more secure. An eleven-month computation time on 10 DEC alpha en- 
ables us to recover the secret key of a user in only one case out of 100,000. This 
only implies that the lifetime of the keys must be less than one year. The para- 
meters proposed by Veron significantly reduce the number of transmitted bits 
in each identification procedure but they impose a much shorter lifetime of the 
keys since 56 days on 10 of our workstations are sufficient to find the secret key 
of a user with a probability greater than 1/3500. 

5.2 Partial Attacks on McEliece and Niederreiter Cryptosystems 

McEliece and Niederreiter cryptosystems otherwise present some weaknesses 
since the knowledge of a small number of bits of the plaintext is sufficient to 
recover it in its entirety. The knowledge of some plaintext bits in McEliece ci- 
pher allows to accordingly reduce the dimension of the code we consider in the 
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Fig. 1. Computational effort required for cryptanalyzing McEliece cryptosystem as a 
function of the proportion of messages successfully decrypted: the CPU time is given 
for 10 workstations DEC alpha at 433 MHz in parallel. 



attack. If we assume that binary operations is a feasible work factor, it is 
then possible to decode up to distance 50 a [1024,404]-binary code with our al- 
gorithm. This means that the knowledge of 120 plaintext bits {i.e. 23 % of the 
plaintext) is sufficient to recover the whole plaintext in a reasonable time. 

A similar attack on Niederreiter cryptosystem consists in assuming that some 
error positions are known by the enemy. The problem is then to determine the 
distance up to which a [1024,524]-binary code can be decoded. If the work factor 
is limited to 2^^ binary operations, we obtain that the knowledge of 15 error 
positions out of the 50 introduced in McEliece and Niederreiter systems enables 
us to recover the plaintext. This small proportion notably implies that generating 
the error- vector with a noisy channel is insecure if this provides some errors whose 
weight is too small. 



6 Conclusion 

We have then proved that the security of McEliece cipher is insufficient when its 
original parameters are used. But this public-key system is still a valid alterna- 
tive to RSA once its parameters are modified. For example if the secret key is 
chosen amongst the Goppa codes of length 2048, dimension 1608 and minimum 
distance 81, the average work factor of our attack is roughly 2^°°. Even with 
these parameters the performance of McEliece cipher remains much better than 
the one of RSA: the costs of encryption and decryption per information bit with 
Niederreiter ’s version are respectively 45 times and 70 times lower than with 
RSA-1024. But the huge size of the public-key (more than 88000 bytes in this 
case) may often dissuade from using this cipher. 
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Abstract. At Crypt‘97, Berson showed that the McEliece public-key 
cryptosystem suffers from two weaknesses: (1) failure to protect any message 
which is encrypted more than once, (2) failure to protect any messages which 
have a known linear relation to one another. In this paper, we propose some 
variants of the McEliece scheme which can prevent from these attacks. These 
variants will not reduce the information rate in the original scheme. In addition, 
to improve the information rate, we also propose some variants of the McEliece 
scheme which can prevent from Berson-like attacks. 



1 Introduction 

In 1978, McEliece [16] proposed a public-key cryptosystem (the McEliece scheme) 
based on algebraic coding theory. The idea of this cryptosystem is based on the fact 
that the decoding problem of an arbitrary linear code is an NP-hard problem [4]. 
Compared with other public-key cryptosystems [8,21] which involve modular 
exponentiation, the McEliece scheme has the advantage of high-speed encryption and 
decryption. In addition, the McEliece scheme is a probabilistic encryption [6,9] that 
is better than other deterministic encryptions [19,21] in preventing from elimination 
of any information leaked with public -key cryptography. Up to now, the McEliece 
scheme is still not widely used. This is because the information rate of this scheme is 
low (close to 0.5) and it requires large binary matrices as secret key and public key. 
Some methods [15,18,23] were proposed to improve the information rate of the 
McEliece scheme. These methods use the added error vector to carry additional 
information. Some information bits are mapped into an error vector to be added to a 
codeword. Once the error vector can be identified, the additional information can be 
recovered. By using these methods, the information rate can be up to around 0.8 or 
more. Eor the large key problem, Sun and Hwang [24] proposed the use of a short 
sequence of bits (called seed-key) to specify secret key. Thus each user only needs to 
keep a short key, e.g., 64-bit sequence. However, the problem of large public key is 
still unsolved. 
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In the past, many researchers [1,2,7,13,14,25] attempted to break the McEliece 
scheme. None of these were successful in the general case. Among them, Korzhik 
and Turkin [13] claimed that they had broken the McEliece scheme. However, most 
cryptographers don’t believe their result to be effective because of lack of obvious 
evidence to confirm the time bound they claimed. At Crypt‘97, Berson [5] showed 
that the McEliece scheme suffers from two weaknesses: (1) failure to protect any 
message which is encrypted more than once, (2) failure to protect any messages 
which have a known linear relation to one another. Although these weaknesses don’t 
lead the McEliece scheme to be broken immediately (i.e., the private key doesn't be 
recovered), it is possible for an attacker to act on some behavior such that these 
weaknesses happen. For example, an attacker introduces some errors into the 
ciphertext, which is sent from the sender to the receiver, such that the receiver cannot 
decrypt the ciphertext correctly. If the receiver thinks this cause comes from faults in 
encryption phase, he will request the sender to resume again (encrypt the message 
and send the ciphertext again). Thus the weakness (1) will occur. 

To overcome these weaknesses, Berson [5] suggested spreading randomness 
through the plaintext in some complicated fashion. Bellare and Rogaway’s OAEP [3] 
et seq. which are commonly used to enhance the security of RSA are instructive. 
Thus the linear relation between the messages will be unable be found by some action 
of a cryptanalyst. However, these improvements will also reduce the information rate 
of this scheme. 

In this paper we propose some variants of the McEliece public-key cryptosystem 
which can prevent from the attacks proposed by Berson. These variants will not 
reduce the information rate in the original scheme. In addition, to improve the 
information rate, we also propose some variants of the McEliece scheme which can 
prevent from Berson-like attacks. This paper is organized as follows. In section 2, 
we provide some background information. In section 3, we present some variants of 
the McEliece public-key cryptosystem which can prevent from the attacks proposed 
by Berson. In section 4, we propose more variants of the McEliece public-key 
cryptosystem which can prevent from Berson-like attacks and improve the 
information rate. Finally, we conclude this paper in section 5. 



2 Preliminaries 



2.1 The McEliece Public-Key Cryptosystem 

Secret key: S is a random (kxk) nonsingular matrix over GF(2), called the 
scrambling matrix, 

G is a (kxn) generator matrix of a binary Goppa code G with the 
capability of correcting an n-bit random error vector of weight less than 
or equal to t, and 

P is a random {nXn ] permutation matrix. 



Public key: G’ = SGP 
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Encryption: c = niG’ + e, where m is a A:-bit message, c is an n-bit ciphertext, and e 
is an n-bit random error vector of weight t. 

Decryption: The receiver first calculates c’ = c P ' = mSG + e P ' , where P ' is the 
inverse of P. Because the weight of e P ' is the same as the weight of 
e, the receiver uses the decoding algorithm of the original code G to 
obtain m’ = mS. At last, the receiver recovers m by computing m = 

m’ , where 5 ' is the inverse of G. 

In the original version of the McEliece scheme, the parameters k, n, and t were 
suggested to be 524, 1024, and 50 respectively. Many works [1,2,11,12] were to 
study the optimal value of these parameters such that a cryptanalyst must take the 
highest cost to break this system. Optimizations were suggested that if n=1024, k 
ranges from 524 to 654, and t ranges from 37 to 50. In this paper we use the 
parameter sizes of the original version without loss of generality. 

An obvious attack on the McEliece scheme is to guess 524 positions of c that are 
not distorted by e, and then find m from c* = mG* if G* is invertible, where c* and 
G* are restrictions onto these positions of c and G’. Because there exist 50 errors 

embedded in 1024 positions, we need ~ 1-37x10“’ guesses to succeed. 



2.2 Berson’s Attacks on the McEliece Scheme 

Berson [5] proposed two attacks on the McEliece scheme, called message-resend 
attack and related-message attack. We restate these two attacks in the following. 

Message-Resend Attack: 

We assume a message m is encrypted twice because of some accident or the special 
action of a cryptanalyst. Then the cryptanalyst knows: c^ = mG’+e^, and c^ = 
mG’+e^, where (this is called the message-resend condition). Therefore, 

C| H- Cj = e, -H gj ■ It is remarked that the weight of e,-i-e 2 is even and at most 100 
because the weight of each error vector added in the McEliece scheme is 50. 
According to Berson’s analysis, the expected Hamming weight of + is about 
95.1 if a message-resend condition occurs. If the underlying messages are different, 
the excepted Hamming weight of c^ -i-Cj is 512. Therefore, it is easy to detect the 
occurrence of a message-resend condition and the weight of gj + gj by observing the 
Hamming weight of c^+C 2 ■ If the weight of gjH-gj is 94, we need to guess 524 
positions of c, ( Cj ) that are not distorted by gj ( gj ) from 930 possible positions 

with 3 wrong positions. The probability that we get a correct guess is CI 24 / CI 24 “ 
0.0828. This means that the cryptanalyst needs only about 12 guesses to succeed. 
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Similarly, if the weight of e, + is 96, only about 5 guesses are required for the 
cryptanalyst to succeed. 

Note that the main canse that Berson’s attack succeeds is that by observing the 
value Cj + Cj we can obtain more information abont the positions in which the errors 
probably occur. In the following, we show how much information for each bit in the 
error vector goes through observing c^+C 2 ■ Let e^ (i ) , Cj («) , (i ) , and Cj (i) denote 

the i-th bit in e, , gj , c, , and Cj respectively. Here we assnme the value of each bit 
in the ciphertext is a random variable with probability p{ c^ (i) =0)= p( c, (i) =1) = 0.5. 
The entropy fnnction [10] H{ e^ (i) I c, (i) ) 

= pi c^ (i) =0) Hi gj (i) I c^ (i) =0)+pi Cj (i) =\) H{ gj (1) I c^ (i) =1) 



„ , , 974 , 1024 50 , 1024 , „ , , 974 , 1024 50 , 1024 , 

= 0.5-( log + log )-h0.5-( log -I- log ) 

' 1 A ^ A 1 A ^ ^r\ ' ' 1 r\r\ a r\—i a 1 a ^ ^ r\ ' 



91 A 1024 



50 



1024 



974 1024 



50 



1024 
=0.2814 

It is clear that H( e^ (i ) ) = //( g, (/) I c, (i) ) and H( (i) )=H{ (i) I C 2 (i) )• This means 

that one cannot obtain more information on gj (i) (or gj (i ) ) throngh observing Cj (i) 
(or Cj (0 ). However, if the message-resend condition occurs and the weight of 
g, -I- gj is 94, then 
//(g, (0IC|(i) +C2(0 ) 

= pi Cj (0 + C 2 ii) =0)H( gj (i) I C| (i) + C 2 (0 =0)-h 



Piciii) + C2ii) =l)H(gi (i)\cfi) + C2ii) =1) 

930 , 927 ,930 3 , 930 , 94 

= ( log + log )h- 

1024 930 927 930 3 1024 



(llog2 + ilog2) 



= 0.1203 

If the message-resend condition occurs and the weight of gj + 62 is 96, 
then H( g, (i) I c, (i) + C 2 ii ) ) 

= pi Cj (0 + C 2 ii) =0)Hi g, ii) I Cj (0 + C 2 ii) =0)-H 



Pi C| ii) + C 2 ii) =l)H( g| (0 1 c, (i) + C 2 ii) =1) 



928 ,926, 928 2 , 928, 96 

= ( log + log )h- 

1024 928 926 928 2 1024 

= 0.1139 



•(^log2-H^log2) 



Related-Message Attack: 

We assume two messages wij and m 2 are encrypted and a cryptanalyst knows a 
linear relation, e.g., the valne m^ + m 2 , between these two messages. Then the 
cryptanalyst knows: c^=m^G’ +e^, and C2 = WI2 G’ H- g2 , where m^i^m 2 , and g, gj . 
Therefore, C|H-C 2 = m^G' H-gjH-mjG’ H-g 2 =(mjH-m 2 )G’ H-(g,-i-g 2 ). Because the 
value m^ + m 2 is known previously, (Wj-hotj )G’ can be computed. Hence c,h-C 2 + 
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(nij + OTj )G’ = £, + £2 ■ As the analysis in the message-resend attack, the nnmher of 
gnesses required to succeed is small. 

Basically, the message-resend attack is the special case of the related-message 
attack where the linear relation between the messages is m^ + = 0 . To overcome 

these weaknesses, Berson [ 5 ] suggested spreading randomness through the plaintext 
in some complicated fashion. Bellare and Rogaway’s OAEP [ 3 ] et seq. which are 
commonly used to enhance the security of RSA are instructive. Thus the linear 
relation between the messages will be unable be found by some action of a 
cryptanalyst. However, these improvements will also reduce the information rate of 
this scheme. In the following sections, we propose some variants of the McEliece 
scheme, which can prevent from the attacks proposed by Berson. Some of them have 
the same information rate as the original McEliece scheme, and some of them have 
higher information rate than the original scheme. 



3 Some Variants of the McEliece Scheme 

In this section, we propose some variants of the McEliece scheme. These variants can 
prevent the McEliece scheme from the message-resend attack and the related-message 
attack. In addition, these variants will not reduce the information rate. The public 
key and the secret key in these variants are the same as those in the original McEliece 
scheme. 

Variant I: 

Encryption: c = (m+h(e))G’ + e, where e is an n-bit random error vector of weight t, 
and h is a one-way hash function with an input e and an output of a k- 
bit vector. It is necessary to consider how to apply a well-known one- 
way hash function, e.g., MD 5 [ 20 ], to be the function h. We omit the 
details here. 

Decryption: Eirst m+h{e) can be obtained by using the decryption algorithm in the 
original scheme (the error vector can also be found in the decoding 
process). Secondly the receiver computes m =( m+h(e)) +h(e). 

Security: Let m, and wTj be two messages. If m^ = m^, then 

Cl -I- £2 ={h{ £j )+h( £2 ))G ’-I- £| -H £2 . The value {h{ e^ )+h( £2 ))G ’ is 
unknown because of lacking the knowledge of h( £, ) and h{ ). We 
cannot obtain more information about the positions in which the error 
occurs. Thus the message-resend attack fails. If the value m^ + m^ is 

known, then c,h-C2= (m^ + m2+h{e^)+h{e2))G’ +61 + 62- Although 
the value m^ + m2 is known, {m^ + m2+h{6^)+h{62))G’ will not be 
known because of lacking the knowledge of h{ Cj ) and h{ £2 ). We are 
not able to obtain any information about the positions in which the error 
occurs. Thus the related-message attack cannot work. 
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Variant II: 

Encryption: c =f{m, e)G’ + e, where e is an «-bit random error vector of weight t, 
and /is a trapdoor one-way function [21] with two inputs (m and e) and 
an output of a A:-bit vector. Here / must have the property that given 
J{m, e) it is computationally infeasible to find m and e, but it is easy to 
compute m given /(m, e) and e. For example, DES [17], which has two 
inputs (message and key) and an output (ciphertext), can be one of 
candidates. If DES is applied, it is necessary to consider how to 
implement it to be the function /because DES has a 56-bit key, a 64-bit 
message, and a 64-bit ciphertext, while /needs an n-hit e, a k-hii m, and 
a k-hii output. We omit the details here. 

Decryption: First /(m, e) can be recovered by using the decryption algorithm in the 
original scheme (the receiver keeps the error vector in the decoding 
process). Secondly the receiver computes m by inverting the function/. 
Security: If m, = wij , then Cj -i- Cj =(/( m^ , Cj )+f{ , e-^ ))G’ -i- e, H- Cj . The value 

)-!-/( OTj , Cj ))G’ is unknown because of lacking the knowledge 
off{ «!(,£() and/( , Cj ). We cannot obtain any information about the 
positions in which the error occurs. Thus the message-resend attack 
fails. If the value m^ + m 2 is known, we cannot still erase the item 
(/( wij , e, )-!-/( OTj ,62 ))G’. Therefore, this scheme is also secure against 
the related-message attack. 

4 More Variants on Improving the Information Rate 

In the past, some researchers [15,18,23] studied how to improve the information rate 
of the McEliece scheme. They use the added error vector to carry additional 
information. Thus the information rate of the McEliece scheme can be increased. In 
this section, we first formally describe their ideas as Variant III. We show that the 
variant is not secure against Berson-like attacks. And then, we propose some variants 
which can prevent from Berson-like attacks and improve the information rate. 

Variant III: 

Encryption: Let m = ,m^)he the message, c = m^G’ + e, where e = g{m^), g 
is an invertible function which maps into an n-bit error vector of 
weight t. Some good candidates of the function g can be found in 
[15,18,23]. 

Decryption: Eirst can be recovered by using the decryption algorithm of the code 
G. In the meantime, the value g{ ) can also be obtained. Then the 
receiver computes ( g(mj)), where is the inverse of g. 

Information rate: By using this method, the information rate can be improved from 
0.51 to 0.79 if ^=524, n=1024, and t=50 (additional 284-bit information 




206 H.-M. Sun 



is carried), and from 0.63 to 0.87 if ^=654, n=1024, and t=37 
(additional 225-bit information is carried). 

Security: Basically, the idea of this variant is the same as that of the original 

McEliece scheme. The main difference between both is the 
randomness of the error vector. The error vector of the former is not 
truly random, but dependent on the probability distribution of . To 
provide better security, it is suggested that data compression technique 
is applied before encryption. Note that this variant is a deterministic 
encryption. 

Let OT, = ( , OTjj ) and =( , wijj ) be two messages encrypted. 

Because each message in this variant contains two parts, we extend the 
linear relation between two messages to many cases. In Table 1, we 
show the possible weaknesses of these cases. We give some 
explanations for these cases in the following. 

CaseIII.A: If is known previously, then )=c, G’. Thus 

= "**))■ 

Caselll.B: If is known previously, then we know G’ = c^ + g( m^^ ). It is 
easy to compute by finding G* = (Cj -i- ))*, where (Cj -i- 

g(m^i,))* and G* are restrictions onto some positions of c^+ g{m^^) 
and G’ such that G* is invertible. 

Case III. C: If and are known previously, then Cj=Cj. That 

is, C| +c^ =0. We cannot obtain any information about the positions in 

which the error occurs. 

Caselll.D: If and are known previously, then Thus 

<^ 1+^2 = (?M|a+ ni^a )G ’-F gj H- gj = ^1 + ^ 2 ' Therefore, we can obtain any 
information about the positions in which the errors occur. Thus m ^^ , 
m^b , , and m^b can be known. 

Caselll.E: If m^^ t- and m^b = m^b are known previously, then ( -i- )G’ 

= C[ -I- C 2 . Similar to Case III.B, it is easy to compute m^^ -i- . 

Caselll.F: Similar to Case III.E except that has been known 

previously. 

Caselll.G: If the value and m^b^m^b known previously, then 

^ 1 +^ 2 = ('^la + )^’ +ei + e 2 - Because the value + is 

known, (otj^ - i-m 2 a )G’ can be computed. Hence Ci+C 2 + 
{m^^ + m^^)G’ =e^ + e 2 ■ Therefore, we can obtain any information 
about the positions in which the errors occur. Thus m ^^ , m^b , , 

and m^b can be known. 
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Table 1. The possible weaknesses in Variant III 





Information Known Previously 


Information Leaked 


Case UFA 


(or ) 


(or m^i, ) 


Case III.B 


"Tifc (or m^i, ) 


(or ) 


Case III.C 




None 


Case III.D 




> 'W2„ - "*2* 


Case III.E 






Case III.F 




None 


Case III.G 




, nil, ’ - "^2* 



From Table 1, it is clear that there are still many weaknesses in Variant III. To 
overcome these weaknesses and improve the information rate of the McEliece 
scheme, we propose two variants of the McEliece scheme in the following. 

Variant VI: 



Encryption: Let m = ,m^) he the message, c = (m^ +h{e)) G’ + e, where e = 

g(rWmi^), r is a ^-bit random vector, g is an invertible function which 
maps nil, i>^to an n-bit error vector of weight t, h is a one-way hash 
function with an input e and an output of a k-hii vector. Here we need 
the function g to have the following property. Let E be the set of 2" 
possible strings of n binary digits, be the set of all possible outputs 

of g{r\\m,,) given jc, be the i-th item in and 



d: = min{t/wf.(x , x )) . If we regard E as an w-dimensional Hamming 

i.i*i 

space, we require that the is uniformly distributed (located) in E. 



That is, we expect that the has an approximately maximal value of 



2 ” 



Those proposals in [15,18,23] may be the candidates of the 



function g. 

Decryption: First +h{e) and e can be found by using the decryption 

algorithm of the code G. Secondly the receiver computes 

HI m,, = g^' (e) , where (e) is the inverse of g, and then discards the 
part r. Thus is obtained. Finally, can be computed by 
ma=nia ’ H- h{e). 

Information rate: By using this method, the information rate can be improved from 
0.51 to 0.79 if yfe=524, «=1024, t=50, and q=Q\ from 0.51 to 0.73 if 
yt=524, m=1024, t=50, and ^=64; from 0.63 to 0.87 if ;fe=654, n=1024, 
t=37, and q=0\ and from 0.63 to 0.8 if k=654, n=1024, t=31, and <7=64. 
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Security: We discuss the security of this variant with parameter q=Q and q= 6 A 

respectively. 

Parameter ^=0: 

In Table 2 , we show the possible weaknesses in Variant IV with parameter 17=0. 

Some explanations for these cases are given in the following. 

CaselV.A: Assume is known previously. cannot be 

removed from c, becanse h(g( )) is nnknown. 

CaseIV.B: If OTjj is known previously, then we know ( +Kg( ))G’ = c^ + 
g( m^|^ ). Similar to Case III.B, it is easy to compute +Kg( m-it ) 
hence . 

CaselV.C: Similar to Case III.C. 

CaseIV.D: If OTi^ = and m^^ are known previously, then c, + Cj = 

(h{g( )+h{g( m^f, ))G ’+€^ + €2- We cannot remove (h{g( )+ 

h(g(m2^))G’ from Cj+Cj. Therefore, we cannot obtain any 
information abont the positions in which the errors occur. 

CaselV.E: Similar to Case III.E. 

CaselV.F: Similar to Case III.F. 

CaselV.G: If the value m^^+m 2 ^ and are known previously, then 

Ci+C2= ( +/i(g( )+A(g( wTjj ))G’ +e^ + e2■ Because the 

value w 1|^+OT2„ is known, (OTj^ + nr2„)G’ can be compnted. Hence 
Cj + C2 +(/«!„ + ni2^ )G’= h(g{ )+ h(g{ m2^ ))G ’+ Cj + Cj • However, we 

cannot remove (h(g( m^^ )+Kg( m2^ ))G’ from Cj + C2 +( m^^ + M2^ )G’ . 



Table 2 . The possible weaknesses in Variant IV with parameter 9=0 





Information Known Previously 


Information Leaked 


Case IV. A 


(or "*2“ ) 


None 


Case IV.B 


'^Ib ( qj - ^2b ) 


(or ^2, ) 


Case IV.C 




None 


Case IV.D 


mi„ = m2„, 


None 


Case IV.E 


mia*m2„, m,,=m2, 




Case IV.F 


mi, + m2,, m,,=m2, 


None 


Case IV.G 




None 



Parameter q=64: 

In Table 3 , we show the possible weaknesses in Variant IV with parameter < 7 = 64 . 
Some explanations for these cases are given in the following. 



CaselV.R.A: Similar to Case IV. A. 





Improving the Security of the McEliece Public-Key Cryptosystem 209 



CaselV.R.B: Assume is known previously. Because r^ is an unknown 64- 
bit random vector, the probability that we get a correct guess of the 



value g( r, II ) is only 




Therefore, we cannot remove g( r, II ) 



from C| . Another possible attack is to guess k positions of c that are 
not distorted by e. Because is uniformly distributed in E, a 

cryptanalyst cannot identify which positions have better chances. 
CaselV.R.C: If = and known previously, then 

Cl -I- C2 =(h(g{ r, II )+h(g( II ))G’+g( r, II )+g( II ). We 
cannot remove (/i(g( r, II )H-/r(g( Cj II Wj,, ))G’ from c,h-C 2 because 

'^ifl > '^2a > ^ih ’ '”2* ^re unknown. 

CaselV.R.D: Similar to Case IV. D. 

CaselV.R.E: If and = are known previously, then c,h-C2 = 

( +h(g( r, II )+h(g( II ))G’-Hg( r^ II )+g( II ). 

Because r, is a 64 -bit random vector, the probability that r^ = (hence 
g( Cj II mj,, )=g( Cj II OTji, )) is equal to 1 / 2 ^ which is significantly small. 
Therefore, neither ( -1- +h{g{ r, II )h- h(g{ II ))G ’ nor 

g{ q II OTj,, )-i- g( T-j II mji, ) can be removed from Cj -1- C2 . 

CaselV.R.F: If the value m^^ + rriyf^ and wi2„=OT2i, are known previously, then 
Ci-l-C 2 +(OTi^-l-m 2 jG’=(A(g(rillmiJ-l-/!(g(r 2 llOT 2 j)G’ H- g(qllmiJ -I- 
g( /-j II OT21, ). Neither {h{g{r^\\m^^)+h{g{r^\\m^^))G’ nor g( q II m,i, )h- 
g{ Cj II OT21, ) can be removed from H-( )G’. 

CaselV.R.G: Similar to Case IV. G. 



Table 3. The possible weaknesses in Variant IV with parameter ^=64 





Information Known Previously 


Information Leaked 


Case IV.R.A 


mi, (or ) 


None 


Case IV.R.B 


mil, (or wijfc ) 


None 


Case IV.R.C 


mia = m^^, 


None 


Case IV.R.D 


mia = m^^, 


None 


Case IV.R.E 


mi,^m^^, 


None 


Case IV.R.F 


mi, + m 2 ,, 


None 


Case IV.R.G 


mia + m^^, 


None 



Variant V: 

Encryption: Let m = be the message, c = f{m^ , e) G’ + e, where e = 

g(rWmi^), g is an invertible function which maps HI mj, into an «-bit 
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error vector of weight t, and / is a trapdoor one-way function with two 
inputs ( and e) and an output of a A:-bit vector. Here the function / 
and the function g should have the same property as that in Variant II 
and that in Variant IV respectively. 

Decryption: First ’ = f{m^, e) and e can be obtained by using the decryption 
algorithm of the code G. Secondly the receiver computes = g '(e), 
where g ' is the inverse of g. Finally, can be computed by = 
/^' (m^ ’, e), where /“' is the inverse off. 

Information rate: the same as Variant IV. 

Security: We discuss the security of this variant with parameter q=0 and q=64 

respectively. 

Parameter ^=0: 

In Table 4, we show the possible weaknesses in Variant V with parameter q=0. 

Some explanations for these cases are given in the following. 

CaseV.A: Similar to Case IV.A. 

CaseIV.B: If OTjj is known previously, we know f(m^^ ))G’ =c^ + gimi ^, ). 

Similar to Case IIl.B, it is easy to compute /(m,^ , )) and hence 

= / ^‘ (/( "*1. . 8( "Jifc ))- )) . 

CaselV.C: Similar to Case III.C. 

CaseIV.D: If m^^ = and are known previously, then 

Cl + C 2 =(/( , g{ ))+f{ , g{ OT 2 * )))G’+ e, + e 2 - We cannot erase 

(A wiifl > 8( "Jifc ))+/( ’ 8( "* 2 * )))G'’ from c, H- Cj . 

CaselV.E: If and wi 2 fl='^ 2 i known previously, then 

Cl + C 2 =(/( , g{ m^^ ))+f( ni 2 „ , g( )))G’. We can only obtain the 

value /( , g( ))+/( , g( )). 

CaselV.F: Similar to Case IV. E. 

CaselV.G: Similar to Case IV.D. 



Table 4. The possible weaknesses in Variant V with parameter ^=0 





Information Known Previously 


Information Leaked 


Case V.A 


mu (or ni2„ ) 


None 


Case V.B 


m-u (or WTjj ) 


mu (or WTj, ) 


Case V.C 


mu = m2„, 


None 


Case V.D 


mu = m2a, 


None 


Case V.E 




None 


Case V.E 


m-u + m^a, 


None 


Case V.G 




None 
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Parameter ^=64: 

In Table 5, we show the possible weaknesses in Variant V with parameter ^=64. 
Some explanations for these cases are given in the following. 

CaseV.R.A: Similar to Case IV.R.A. 

CaseV.R.B: Similar to Case IV.R.B. 

CaseV.R.C: If and = are known previously, then 

C+C2 =(/(»!,„, g( r, II m, m2, , g( /-j II mj^ )))G’h- g{r^Wm^^) 

H-gCrjIlmjj). We cannot remove neither g(r^\\m,^))+f(m 2 ^ , 

gi h II ni2^ )))G’ nor g( r, II )+g( r2 II m2* ) from Cj -H C2 . 

CaseV.R.D: Similar to Case V.D. 

CaseV.R.E: Similar to Case IV.R.E. 

CaseV.R.F: Similar to Case V.R.C. 

CaseV.R.G: Similar to Case V.G. 



Table 5. The possible weaknesses in Variant V with parameter ^=64 





Information Known Previously 


Information Leaked 


Case V.R.A 


(or ni2, ) 


None 


Case V.R.B 


(or ) 


None 


Case V.R.C 


mia = m2a, «r,*=m2* 


None 


Case V.R.D 


mia = m2a, 


None 


Case V.R.E 


m,*=OT2* 


None 


Case V.R.E 


mi, + m2,, m,*=OT2* 


None 


Case V.R.G 


mia + m2,, wr,*^m2* 


None 



5 Conclusions 

In this paper, we first propose two variants. Variant I and Variant II, of the McEliece 
scheme, which can prevent from both the message-resend attack and the related- 
message attack. These two variants are probabilistic encryptions, and have the same 
information rate as that of the original McEliece scheme. To improve the information 
rate and to prevent from Berson-like attacks, we also propose two variants. Variant IV 
and Variant V, of the McEliece scheme. In these two variants, if the parameter q is 
equal to 0, then they are deterministic encryptions and can improve the information 
rate from 0.51 to 0.79 if k=524, n=1024, t=50, or from 0.63 to 0.87 if k=654, n=1024, 
t=37. If the parameter q is equal to 64, then they are probabilistic encryptions and can 
improve the information rate from 0.51 to 0.73 if k=524, «=1024, t=50, or from 0.63 
to 0.8 if k=654, n=1024, t=37. 
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Abstract. Many cryptographic protocols and cryptosystems have been 
proposed to make use of prime order subgroups of Z* where n is the 
product of two large distinct primes. In this paper we analyze a num- 
ber of such schemes. While these schemes were proposed to utilize the 
difficulty of factoring large integers or that of finding related hidden in- 
formation (e.g., the order of the group Z^), our analyzes reveal much 
easier problems as their real security bases. We itemize three classes of 
security failures and formulate a simple algorithm for factoring n with a 
disclosed non-trivial factor of </>(n) where the disclosure is for making use 
of a prime order subgroup in Z*. The time complexity of our algorithm 
is ! f) where / is a disclosed subgroup order. To factor such n of 

length up to 800 bits with the subgroup having a secure size against com- 
puting discrete logarithm, the new algorithm will have a feasible running 
time on use of a trivial size of storage. 



1 Introduction 



Let n = pq where p and q are large primes. The multiplicative group of integers 
modulo n, which we denote Z*, has a secret order (the number of elements in the 
group) {p— l){q— 1). It is assumed to be difficult to discover this quantity from n, 
and the difficulty has been used as the security basis for many cryptosystems and 
protocols including RSA m, Fiat-Shamir Rabin Guillou-Quisquater 
PH, and many many more. 

In the literature we also often see cryptosystems and cryptographic pro- 
tocols (crypto schemes) that make use of prime order subgroups of Z* (e.g., 
[II |2f8lf)ll Ifl 3j ). In the sequel, whenever we say subgroup, we refer to a prime 
order subgroup of Z*. The order of such a subgroup is a prime number. The 
schemes referred above involve various ways of using such subgroups. In some 
use (a cryptosystem 0), subgroup elements are disclosed while their order is 
hidden, and the security basis is an assumed difficulty to find the order of a 
given element. In another use (PSECHEI), a subgroup is made public by di- 
sclosing both the order and the elements. This use allows zero-knowledge proof 
of some properties (such as possession or equality) of the discrete logarithms of 
the group elements. 



K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 214-|^^^ 1998. 
@ Springer- Verlag Berlin Heidelberg 1998 
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We will analyze each of the crypto schemes referred in the above paragraph 
and itemize three classes of security failures from our analysis. Class 1: given 
elements of a prime order subgroup, the group order, even as a secret, cannot be 
used as an RSA-like hidden trapdoor. Class 2: A disclosed prime order subgroup 
allows to solve problems which should be difficult in Z* had the subgroup not 
been disclosed. Class 3: the size of a disclosed subgroup versus that of Z* leads 
to a significant reduction on the complexity for factoring n. We will formulate 
a simple algorithm for factoring n with a special structure designed for making 
use of prime order subgroups in Z*. To factor such n of length up to 800 bits, 
our algorithm will have a feasible running time on use of a trivial size of storage. 

Throughout the paper we stipulate n = pq for p and q being distinct large 
primes. For an element a € Z*, we will use ordn{a) to denote the order of a 
modulo n, which is the least positive integer b satisfying 

a}’ = 1 (mod n). 

We also confine ourselves to study subgroups of odd prime orders; namely, we 
exclude the case of order 2. Such subgroups merely contain elements which can 
be used to factor n (if they are not trivial numbers n — 1 or 1). 



2 Class 1: Absence of RSA-like Hidden Trapdoor in any 
Prime Order Subgroup 



Let g yf 1 be a non secret element in a prime order subgroup. Since g mod p 
{g mod q) is an element in Z* (Z*), we have the following 



ordp{g) I p - 1, 



ordq{g) \q-l. 



So 



p = ordp{g)k + l, q = ordq{g)£ + 1, (1) 

for some (even) numbers k and £. A basic fact in number theory states the 
following: for every x € Z*, 



m I n implies ordm{x) \ ordn{x). 



( 2 ) 



Since ordn{g) is prime, from (2) we know either ordp{g) = ordn{g), or ordp{g) = 
1. Same true for ordq{g). Obviously we do not consider the case ordn{g) = 1. 
Thus (1) consists of one of the following three cases: 



p = ordn{g)k + l, q = 


ordn{g)£ + 1, 


(3) 


p = ordn{g)k + 1, q = £+l, 


with ordn(g) / i, 


(4) 


p = k + l, q = ordn{g)£ + 1, 


with ordn{g) /{k. 


(5) 
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Note that the case (4) implies g = l(modg), or g | 5 — 1. Noting further 
0 < (7 — 1 < n, we will have (let gcd(a;, y) denote the greatest common divisor of 
X and y) 

gcd{g- l,n) = q. 

Similarly for the case (5), we will have 

gcd(5 - l,n) = p. 

We conclude to this end the following statement. 



Proposition 1. Let g G Z* be a non secret element and ordn{g) be an odd 
prime. Then n = pq must only use p and q with the structures shown in (3), or 
else the factorization of n will be disclosed. □ 

A previous cryptosystem |2j contained the above failure for using moduli 
with the construction (4). The failure was later discovered by Henk Meijer |3j, 
with a suggestion for fixing by using moduli with the construction (3). Below we 
will examine that construction as per the system of 0, and in Section 4 we will 
further examine the same construction for a different danger. 



2.1 The Case n — pq — {ordn{g)k + l){ordn{g)i + 1) 

Further examining (3) we can see 

n = pq = ordn{g){ordn{g)M + k + T) + 1. 

So n — 1 is a multiple of ordn{g). The number n — 1 is publicly available even 
ordn{g) is kept as a secret. This fact tells us that the subgroup generated from 
g does not have an RSA-like trapdoor. By an RSA-like trapdoor of a group, 
we mean a secret number which is the inverse of a public exponent modulo the 
group order. The trapdoor is hidden because the group order is. 

Now in the case n — 1 being a multiple of the group order, for any public 
exponent e, one can compute d to satisfy 

ed = 1 (mod n — 1). (6) 

The existence of d is not a problem. If gcd{e, n— 1) > 1, we can replace n— 1 in (6) 
with which should still be a multiple of ordn{g) unless gcd{e,n— 1) = 

ordn{g) which is the case mostly welcome because we have discovered the hidden 
order. 

Since ordn{g) | n — 1, (6) implies ed = 1 (mod ordn{g)) . Thus, in any sub- 
group of order ordn{g), RSA-like encryption or signature algorithms will no 
longer be secure. Any variations relying on the secrecy of ordn{g) will fail too. 
Below we review a cryptosystem that fails in this way. 
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2.2 Scheme Failure 



The scheme poi consists of a public-key encryption algorithm and digital sig- 
nature algorithm. Both work in a prime order subgroup of Z*. The order of the 
subgroup is r = ordn{g), a prime of size 160 bits which is kept secret by the 
owner of n. 

In the encryption algorithm, the public key is {g,n), and the private key is 
a number z computed as follows 

z = — - mod r. 

To encrypt a message 0 < m < n, the sender picks a random number t of 
size less than 160 bits, and compute the ciphertext pair (u,v) as follows 

u := g^* mod n, 

V := mg* mod n. 

The recipient decrypts the pair ( m , v) by the following calculation. 

m := u^v mod n. 



The 

decrypt 



number n — 1 will suffice for a non-recipient to compute and thereby 
(u, v). Let 

n — 1 



for some t such that s is odd. A non-recipient can compute 



z' = — - mod s. 



Noting that s is a multiple of r and the latter is the order of m, it is easy to see 

mod n. 



This means decryption can be performed by anybody. 

A similar failure in the digital signature algorithm of this cryptosystem can 
be demonstrated analogously, using n — 1 as the trapdoor needed. The failure 
allows anybody to issue signatures for the owner of the public key {g,n). 



3 Class 2: Difficult Problem Made Easy Due to Disclosure 
of a Subgroup 

Given elements in a group, zero-knowledge proofs showing some properties re- 
garding their discrete logarithms require to make the group order public (at least 
to the parties involved in the zero-knowledge protocols). But when the group in 
question is Z*, the order (p — l)(g — 1) cannot be disclosed or else no use of the 
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integer factorization problem can be made. A clever idea to solve this contra- 
diction is to define zero-knowledge protocols working in a prime order subgroup 
of Z*, with the order disclosed without leading to discovery of (p — l)(g — 1). A 
widely adopted method 11181111 llldl l to achieve this is to construct p and q with 
the structures given in (3), and make g and ordn{g) public. Here g is chosen 
such that ordn{g) = ordp{g) = ordq{g). 

A scheme failure demonstrated here is a result of transforming a problem 
which is known to be difficult in Z*, into an easy one in a prime order subgroup. 

This is a group signature scheme [1 ,'lj . (In order to avoid confusion between 
a mathematical group and a group of people, in the sequel we use the bold 
font to refer to the latter.) A group signature scheme allows an individual 
member in a group (e.g., a corporation environment) to issue a signature on 
behalf of the group with the signer’s identity hidden from the signature verifier 
(who verifies a signature using the public key of the group). Such signature 
algorithms are probabilistic ones in that, it should be computationally infeasible 
to decide if two signatures have been issued by the same group member. To 
prevent anonymity misuse, a group manager, upon inputting an administration 
secret and a signature, can deterministically identify the signer who has issued 
the signature. This is usually achieved by encrypting the signer’s identity under 
the public key of the group manager in the time of signature issuance; the 
manager need not stay on line. 

In this scheme the group manager’s public-key cryptosystem is the ElGamal 
cryptosystem 0 working in a prime order subgroup of Z*. Using the notation 
of Pnii the subgroup is setup as follows. Let n = p\P 2 where pi, p 2 are distinct 
large primes. Let further q be another prime of size about 160 bits, and q | pi — 1, 
q \ P2 — Fixing an element g G Z* of order q (modulo both pi and P2), the 
manager’s public key is y computed as follows 



y := g^ mod n. 



where x < q is the private key of the manager (the above-mentioned admini- 
stration secret). It is assumed that n and g are generated by a trusted center, 
and nobody else, even not the group manager or members, will know the fac- 
torization of n. The center also generates an RSA public exponent e, again with 
nobody else knowing the inverse of e modulo {p — l){q — 1). 

Let the group have k members. Each member i {1 < i < k) chooses a secret 
Si G Z* and generates an identity by encrypting the secret Si in RSA encryption 

idi := Si mod n. 



From the assumption in key generation, we know that even the manager 
cannot learn s^, the secrets of the members. So (s)he cannot frame any member 
(provided each member (i) make sure not to choose Si of order q, and this is easy 
to check against by checking sj^l mod n). These k identities idj {1 < j < k) 
are announced to the public, together with g,e,n. So the public key of the group 
is the following tuple 

{idi,id2, - ■ ■ ,idk,g,e,n). 
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Omitting details, when the member i issuing a signature, (s)he shall use 
the identities of all members in the group and create k pairs of ElGamal-like 
ciphertext blocks 

id 

= {g'^i mod n, “od n), 1 < j < fc, 

where dj are part of the signature value, and Wj are random numbers chosen by 
the signer i (for j = 1, 2, • • • , fc). The scheme also requires the signer to prove, 
in zero-knowledge, possession of the eth root of one of the k identities. It is 
thus obvious that only a group member is able to have generated the above 
ciphertext pairs, and hence to have issued a signature. 

At first glance, a verifier, apart from knowing the fact that each pair {Aj, Bj) 
is generated via using the identity idj (for 1 < j < k), cannot identify the signer 
i from these pairs. On the other hand, the group manager can identify the 
signer because each pair (Aj,Bj) (1 < j < k) provides ElGamal encryption of 
under the manager’s public key y, and the member i is identified because 

laj 

decrypting {A^^Bj) will return 1. 

However we notice that 1 is an element in any subgroup of in particular 
in all subgroups of order q. Thus, 



ordn{Bi) = ord„(y"'^®) = q, 

while 

id- 

ordn{Bj) = yf g, for j ^ i. 

idj 

These facts can easily be learned by anybody via checking whether B^ mod n 
is 1, for 1 < j < k. There is no need for an outsider to find the e-th root in Z* 
which is well known to be a difficult problem. 

A similar failure occurred in a protocol for fair-exchange of signed documents 
Q (discovered by Golin Boyd which allows decryption by any non-recipient 
using the order of a subgroup disclosed. 

The moral of this failure is that when a prime order subgroup of Z* is made 
public, great care must be taken in protocol design not to transform a problem 
in Z*, which is thought to be difficult, into an easy job in the subgroup. 



4 Class 3: Significant Complexity Reduction for Integer 
Factorization 

Let us now examine the structure of a composite integer n = pq in which a 
factor of 4>{n) = (p — l){q — 1) is made public. The widely adopted method for 
disclosing a subgroup of Z^ HEnmni) is in such a structure. Let 



n = pq, p = 2p'f +1, q = 2q' f + 1, 



(7) 
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where p, q, f are distinct primes and p' , q' are relatively prime integers. Here we 
see that the quantity 

r = 4/2 (8) 

is a factor of <^(n), and in the schemes referred above, the factor r is made public. 
(In PU, an additional factor, which is a factor of p', is also made public. We will 
examine that case in a moment.) 

We first note 



n + l = 4>{n) + p+ q. (9) 

So when r\(j){n) is disclosed, we have 

p + q = n+ l{modr). (10) 

For r < p+q (otherwise the above congruence is an equation and p+q is disclosed 
directly), we can rewrite the congruence (10) as 

p+q=kr+{n+l mod r), (11) 

where fc is a unknown quantity to be determined. From (11) it is easy to see 
|fc|Ri|p+g| — |r|, where |a| denotes the bit length of the integer a in the binary 
representation. Notice that if p + g becomes known, factoring n follows a simple 
calculation. For known r, finding p + q using (11) is equivalent to finding the 
unknown k, and hence the difficulty of factoring n is equivalent to that of finding 
k. Clearly, an exhaustive search for p+q based on the equation (11) will require 

0(2lP+9l-hl) = o(2l(p'+9')/2/l) (-j^2) 



steps. This seems to be the basis for the choice of security parameters in most 
schemes using a prime order subgroup of Z* 1 819111 1 l!i| . However, there exists a 
much more efficient attack only requiring the square root of the above complexity. 
Combining (9) and (11), we have 



n + 1 — (n + 1 mod r) = (j){n) + kr. (13) 

Since = 1 (modn) for an arbitrary u in Z*, raising u to the both sides of 

(13) yields 

^n+l-in+l mod r) ^ (^4) 

where w = mod n is known. Here we may assume u to have the maximum 
order A(n) = 2fp'q' since most elements in Z* will have this order. Note by 
symmetry for p > q (hence p' > q') and g' > 3, we have 

ordn{u) = 2/p'g' > 2/p'3 = 3(p — 1) > 2p > p + q > kr. 

So the order of u (greatly) exceeds kr and this means in the transformation from 
(9), (11) to (14), the quantity k will not be reduced in modulo ordn{u). 
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A straightforward way to solve the equation (14) is to use Shanks’ “baby-step 
giant-step” method (e.g., see [THE]). It requires 

0(2lfe|/2) = o(2(lp+9l-kl)/2) (15) 

steps of group computation (multiplication modulo n) and the same order of 
memory. This is a much lowered time complexity than that in (12) as it is the 
positive square root of (12) Q However, since space is usually more expensive than 
time, the large space needed makes this method likely to be infeasible for k with 
critical sizes. Fortunately there are two memory less variants of Shanks’ method 
due to Pollard: the rho method and the lambda method (see also ^Hj)- Both 
methods have the same square-root running time, but the space requirement is 
negligible. Pollard’s rho method requires explicit knowledge of the order of the 
underlying group (i.e., the order of w in (14)), so it can’t be used for our purpose. 
However, the lambda method works even if the group order is not known; The 
method may produce an exponent with a small multiple of the group order added 
(modulo addition/subtraction). This is usually not a problem. In particular, for 
k with sizes of our interest, the order of w {ordn{w) = p'q') should be much 
larger than k. So we can extract the exact value of k from the lambda method. 

In the above we have proven the following statement: 



Proposition 2. Let n = pq for p, q being two distinet primes and suppose that 
\p\ ~ \q\. When r is a known faetor of {p — l)(<z — 1), then n ean be faetored in 
time using Pollard’s lambda method. □ 



Most schemes using the key setting in (7) base their security on both the 
difficulty of factoring n and the difficulty of finding discrete logarithms mod / 
for the known order /. Let us consider minimal requirements for choosing key 
parameters for such applications. For this, suppose that the current (perhaps not 
long-term) accepted comfortable margin for computational infeasibility is about 
2^°. First of all, the disclosed order / should be at least 140 bits long to thwart 
Pollard’s rho method for finding discrete logarithms mod /. Next, Proposition 2 
requires that \n\ — 2\r\ should be at least 280. Therefore, the modulus n should 
be at least 844 bits long (i.e., \p\ = |g| = 422), since |r| = 2|/| + 2 = 282. More 
generally, to guarantee the security level of steps for both the above two 

attacks, we should have at least 

bl = kl > 3|/|. 

Note however that though Proposition 2 is the best result currently known (at 
least to the authors) on exploitation of computing small discrete logarithms, 
we can’t exclude the possibility of existing a more efficient specialized factoring 
attack for such a key setting. 



^ A similar (less general) method for the square-root reduction was first given in |1 2||. 
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I/I 


\k\ 


complexity 


actual timing 


160 


31 


2i5 


12 seconds 


156 


39 




197 seconds 


152 


47 


2^3 


54 minutes 


148 


55 


2^28 


18 hrs 22 min 



Table 1. Implementation results of Pollard’s lambda method for |n| = 704 



From the above analysis we know that 840 should be the least length setting 
for a modulus n in the construction (7) of which a subgroup of order / is disclo- 
sed. Any such moduli with length less than 800 bits are likely to be dangerous. 
For instance, for an 800-bit n = pq with p, q of similar lengths and for / being 
a 160-bit prime, n can be factored in roughly 2^^ steps of multiplication, well 
within the grasp of a determined attacker. In the case of key setting in 
(I/I = 140, \p\ = |g| = 350), the cost for factoring is about 2 ^® steps. The key 
setting in Sect. 5 of consists of I/I = 160, \p\ = |g| = 395, and thus n can be 
factored in about 2 ^® steps. 

A prime order subgroup used in Sect. 4 of HH uses the following construction 
for modulus n 

n = pq, p = 2p''j^f +1, q = 2q' f + 1, 

where gcd{j,x) = 1 for x = p',q\f. The numbers /, 7 , and d are disclosed. 
Further, El stipulates that 7 should be in the following order of magnitude 

where polyi{k), poly 2 {k) are polynomials in fc = \p'\ = \q'\ (this definition of k is 
specified in Section 2 of ^Hl)- In S3; no information is given on the sizes of p and 
q with respect to the size of However, from the specified order of magnitude, 
the size of 7 '^ is comparable to |p'|, |<;'| and it may easily reach a few hundred 
bits. Note that in such a setting, d/^y'^ is a known factor of (p — 1)((? — 1). So 
using this factor in the complexity bound in Proposition 2, the time for factoring 
n can further be lowered by 2 ^^ 1 /^ times from the case where only / is disclosed. 
The only way to avoid factorization is to increase the size of the modulus (and 
must at the same time limit the degree of poly 2 (k) in comparison to that of 
polyi{k)). Such moduli are likely to exceed a practical size. 

We have implemented Pollard’s lambda method for solving the equation (14) 
to verify that our attack actually works. A number of moduli with the structure 
of (7) have been tested and successfully factored. As nontrivial examples (listed 
in A), each modulus n has 704 bits and <p{n) has a factor r = 4/^ with / 
being prime. We computed the exponent k in (14) using our implementation of 
the lambda method and knowledge of n and / only. Table E lists the result of 
factoring four 704-bit moduli n with |/| = 160, 156, 152 and 148, corresponding 
to |fc| = 31,39,47 and 55, respectively, on a Pentium II PC (Windows 95, 266 
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MHz) 0 We used the crypto- library with partial assembly coding (developed in 
Future Systems, Inc.), but the lambda algorithm itself was not much optimized. 

Note that Pollard’s lambda method can be parallelized with a perfect linear 
speedup (m-fold speedup with in processors) analogously to the rho method 
m- Exploiting the parallelizability, a level time complexity (exceeding the 
problems in mm) can be handled by amateur attackers. For example, using 
128 processors, each at the level of 266 MHz Pentium II, we can deduce from our 
experiment that a 704-bit modulus with |/| = 140 (resulting time complexity: 
2^^) can be factored within one day. 

5 Conclusion 

We have analyzed a number of failures in cryptosystems and protocols that 
use prime order subgroups of Z*, and shown that great care must be taken 
for such uses. The results of the open trapdoor revealed in Section 2, and the 
much lowered complexity for factoring n shown in Section 4, may not be new in 
mathematics; nevertheless to our belief, should be aware to the community of 
cryptosystem and protocol design. 
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A Factorization Examples 

Listed here are four examples of factoring composite numbers rii = piQi with 
|rii| = 704 {i = 1, 2, 3, 4). Each of them is in the structure of (7) with a disclosed 
prime number fi satisfying 4ff\(p(ni), respectively. (Each disclosed number is 
the prime order of a subgroup in Z*..) The factorization procedure, which uses 
knowledge of and fi only, consists of the following steps. Let = 4:ff; find ki 
by solving (14) using Pollard’s lambda method and an arbitrary u G Zf .; finally 
compute the sum of the two factors pi + Qi from (11). 



ni = 

44038789839272366089711678758549018585781306376481219309675016031571 

59110337100473118835059630202675486525459776285546455730190806180736 

80685283791730902303592537905553614145315768184318908979789396252844 

29109969 

/i = 1279307573885884659565630730667563032209304623881 (|/i| = 160) 
fci = 2027611962 (|fci| = 31) 

Pi+qi = 

13273784976299044547490668423368063756808688033061030560778659385613 

470153995077873141935147799796097271326 

Pi = 

67346271288005758035121802466486698270341935982350484466308017371045 

48023040804821535454700449823437654803 

qi = 

65391578474984687439784881767193939297744944348259821141478576485089 

22130954273051606480447349972659616523 



ri2 = 

64554109864989573045209981572033362472631867814455170482343370081941 
753746147198365197379034347649276672413487013119530111186371 18842580 
20822822610693337656026764057069349846323931678811070617670913443882 
33210497 

/2 = 86377634978865770214549290023394612171958862633 (I/ 2 I = 156) 
k2 = 538747074867 (|fc2| = 39) 

P2 + q2 = 

16078574203113175306560234663909305050475184101648412171345388343619 

358401841450007235060358847689467446062 

P2 = 

77635567327820418210972396543355782102974407297844441005838281962192 

92538274120851161987346342157066235939 

92 = 

83150174703311334854629950095737268401777433718639680707615601474000 

65863567329156073073012505532401210123 



ns = 

49717795134695045326475112627330486057331272421904875018507553084533 
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28535166549501577613963887317483273134902374557567913651145723535990 

21740913276114932911412468599093017719864542252814715746579589808031 

33009497 

/a = 5199318848515295611566769410707286918384452513 (I/ 3 I = 152) 
fca = 130766945849270 (Ifcal = 47) 

Ps + 93 = 

14140047706411940330625844939512048374565564888066290058212225984441 

079384020823262406209041853117141243942 

Pz = 

65528757600968992834709152083734731421153187063781982357964242382851 

02130907506525723131350775223761127159 

93 = 

75871719463150410471549297311385752324502461816880918224158017461559 

77253113316736683077691077893380116783 



ri4 = 

48674186760539467681018145523056045973888236415345231292673943613500 

03686092964604087243177579323851165956239195451395380585901768379305 

01449596943339226807057417747240009896818786895758692021292580430607 

40210629 

/4 = 330123952043083490387386128078634198300183001 (I/ 4 I = 148) 
ki = 32139335064789130 (|fc 4 | = 55) 

Pi + qi = 

14010413393076943015390974069221998326136511372422548051245305917863 

342832550005586489706641326886563369946 

Pi = 

76366606542329158917195431596702997461688808846138079970516645219141 

51997938395920083821905816573720062483 

qi = 

63737527388440271236714309095516985799676304878087400541936413959491 

90834611609666405884735510312843307463 
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Abstract 

FAPKC [17, 18, 19, 20, 22] is a public key cryptosystem based weakly 
invertible finite automata. Weak invertibility of FAs is the key to under- 
stand and analyze this scheme. In this paper a set of algebraic terminolo- 
gies describing FAs is developed, and the theory of weak invertibility of 
FAs is studied. Based on this, a cryptanalysis on FAPKC is made. It 
is shown that the keys proposed in [17, 18, 19, 20, 21] for FAPKCs are 
insecure both in encrypting and in signing. 

Keywords: hnite automaton, public key cryptosystem, cryptanalysis 



1 Introduction 

Finite automaton (FA) is a widely used concept in computer science and has 
several definitions slightly different to each other according to applications. In 
this context, it refers to a finite sequential state machine, which was studied 
widely, say for example in [1-16]. The action of such a machine is controlled by 
a clock which ticks with inputs, i.e., on receiving an input symbol, it produces 
an output symbol and its state transfers to a new one according to certain rules, 
and thus with an initial state and an input sequence of finite length it produces 
an output sequence of the same length. Hence a finite automaton is an analogue 
to a usual function when viewed as a transformation from input sequences to 
output sequences. A weakly invertible finite automaton (WIFA) with delay r, 
or simply r-weakly invertible finite automaton, is such a FA that any input is 
uniquely determined by the corresponding state and output together with the 
subsequent r outputs. That is, the input information can be recovered from the 
outputs after waiting r steps, or in other words, with r delays. WIFAs are similar 
to the usual injective functions in the respect that one can retrieve the input 
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information from the outputs. However the delay r and the state dependence 
make it much more complicated for one to recover the input information than 
the usual injective functions. The hrst objective of this paper is to set up a 
systematic theory in dealing with the the problems such as how to construct 
weak invertible FAs and their weak inverses, and how to routinely retrieve input 
information from outputs and the initial state. 

FAPKC, which is a public key cryptosystem and can do both encrypting and 
signing, is based on weakly invertible hnite automata (WIFAs). FAPKC was hrst 
introduced in 1985 [17], named as FAPKCO. Some versions were published in 
1986 [18], named as FAPKCl and FAPKC2. Then a new version was introduced 
in 1995 [20], named as FAPKC3. Roughly speaking, in all these systems, the 
private key consists of two FAs whose weak inverses can be easy constructed, and 
the public key is the composition of them. It is believed in [18-21] that it is hard 
to decompose the public key to get the private two FAs and that it is hard to get 
a weak inverse of the composed FA without knowing this decomposition, hence 
any user can encrypt messages or verify signatures using the public key, but 
can neither decrypt the cipher-texts nor forge the signatures without knowing 
its two private components. To hide the components from the composed FA, 
it is proposed to use boolean functions to express the composition. Then how 
to maintain a moderate public key size becomes a big problem, as composition 
would generally yield boolean expression exploding when the outer component 
is nonlinear. The proposed method is to restrict the input set A equal or smaller 
than T®, where F is the binary held GF[2), and to restrict the nonlinear degree 
of the components to be small. The early versions were analysed in some papers, 
say in [23, 24, 25, 26]. 

The main contribution of this paper consists of two parts. In the hrst part 
(Section 3-5), we develop a set of algebraic terminologies to describe FAs and 
give a systematic treatment to the weak invertibility theory on the seperable 
memory FAs. In the second part (Section 6-7), based on the developed theory, 
we make a simple introduction to FAPKC and then a cryptanalysis on it. Our 
results show that all the keys proposed for FAPKC in [17, 18, 19, 20, 21] are 
insecure both in encrypting and in signing. Before coming to the main topic, we 
recall some basic dehnitions in the next section. 

Due to lack of space, the proofs of all the lemmas and theorems in this paper 
are ommited. 



2 Basic Definitions 

For convenience, in this section we restate some basic concepts, which can be 
found in [8] except some concepts like the natural pairs and the right r-weak 
inverses. 

A finite automaton (FA) is a pentad M = {X, Y, S, S, A) where X, Y are input 
and output symbol sets respectively, S is the state set, X,Yand S are all hnite, 
5 : S X X ^ S is the next state function, and A : S' x A — ;> Y is the output 
function. In the sequel, let A® = {xgxi ■ ■ -Xi-fixj G A, 0 < j < i} be the set 
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of all input sequence of length i, similarly for Y\ For any s G S', we use M{s) 
and (i(s) denote the function from to and the function from 

X’' to S dehned as 

M{s)xoXi ■ ■ -Xi-i = t/ot/i • • -t/i-i 

S{s)xoXl ■ ■ -Xi-l = Si 

, where sq = SjSj'+i = Vj = G df, 0 < j < i. For any 

two FAs M , M' which have the same input space A and the same output space 
Y, we say a state s in M is equivalent to a state s' in M' if M{s) = M'(s'), 
denoted by s ~ s'; we say M is a sub-automaton of M' , denoted by M < M' , if 
for any state s in M there exists a state s' such that s ~ s'; we say M and M' 

are equivalent if M < M' < M . We do not distinguish equivalent FAs in the 

rest of this paper. 

A FA M is called t- weakly invertible, if for any s G S', Xi, x'- G A, the following 
condition 

M (s)x'qx'-^ ■ ■ ■ M (s)xoXi ■ ■ ■ Xr 

implies x'q = xq- The least such r, denoted by t{M), is called information delay 
of M. 

Let Ml = (A, Y, Si, (ii, Ai) and M2 = (Y, Z, 82,^2, X2) be two FAs, dehne 
the composition of M2 and Mi to be the FA M2 x Mi = (A, A, S2 x 81,62 x (ii, 
A2 X Ai) where 

(A2 X Ai)((s 2, Si), *) = A2 (s 2, Ai(si, *)) 

(<^2 X (ii)((s2, Si), *) = ((i2(s2, Ai(si,*)),(ii(si,*)) 

V(s2,si) G S2 X Si,* G A; we usually call Mi the inner component, M2 the 
outer component. It is true that {M2 x Mi)(s2,si) = M2{s2)Mi{si). 

Let M = (A, Y, S, d. A) and M* = (Y, A, S* , d*. A*) be two FAs. For s G 
S, s* G S* , we say (s* , s) is a r-pair in M* x M , or s* is a left r-match of s, or 
s is a riqht r-match of s* , if 

{M* X M){s* , ,s)xoXi ■ ■ -Xn + T-l = WqWi ■ ■ ■ Wt-IXqXi ■ ■ -Xn-l 

for all *0*1 • • '^n+r-i G A""*"’’, where wgwi ■ ■ -Wr-i G A’’ may dependent on 
*0*1 • • -Xr-i- If further wqWi ■ ■ • Wr-i is independent on *0*1 • • -x^-i, we say 
that (s* , s) is a natural r-pair. 

Let M and M* be as above, M* is called a r-weak inverse of M and r is 
called the recovery delay of M* (with respect to M), if for any s G S, there 
exists as* G S* , such that (s* , s) is a r-pair in M* x M . It is clear that a r-weak 
inverse of M can recover the input sequence except the last r inputs. 

In studying the commutability of a FA M and its a weak inverse, we introduce 
the so-called right weak inverse of M . A FA M* is called a riqht r-weak inverse 
of M , if for any state s in M , there exists a state s* in M* , such that (s, s*) is 
a r-pair in M x M* . 
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3 Input Memory FAs and Quasi-Ring T 

From now on, we assume X = Y = (elements being written as column 
vectors), where F = GF{2) is the binary held, though all the results in this 
paper hold true when F is any hnite held. We will concentrate on the so called 
input memory FAs whose states are determined by some number of the past 
inputs (see below for the exact dehnition). Instead of investigating these FAs 
individually, we study them as a whole set (the quasi-ring F) endowed with some 
algebraic structure. That is essential to our understanding of FAs. We begin 
with some dehnitions. 

Let l3 = l3{t-h, ■ ■ ■ ,to, U-k, • • • , M_i) be a function: x -P- Y . Dehne 

the memory order of /3 to be the minimal integer pair such that /3 is 

irrelevant to all the variables {t-i, U-j\i > h' > — 1, j > k' > —1}, and denote it 
by m{l3) = {h',k'). 

This function /3 together with any integer pair (h,k), h > h',k > F, deter- 
mines a memory FA = (A, A, Sp = A^ x Y^ ,Sp, Xp) of type (h, k), 

where for any state sq = {^-h • • • • 'IZ-i) £ x , which is made of 

the past h inputs and the past k outputs, and any input xq £ A, 

(^oAo) — —h : ' ' ' A— lAOi V—k ^ * * * i V— i ) 

(^oAo) — — hp-i ' ' ' ^0 ^ y-kp-i ' ' ' y~ 1 ^y (^o ^ ^o) ) 

Notice that all the FAs > h' , k > k' , are equivalent to each other, 

so we do not care the type {h, k), and write them by the same notation M{j3), 
or simply by /3 when there is no ambiguity. 

If the function /3 is of the form 

13 = ■■ ,to) + g{u-k, ■■■ , M-i) (1) 

we say M{j3) is a separable memory FA, written also as Mj g. If ^ = 0, Mj g will 
be called a input memory FA and will be written simply as Mf] in this case, the 
memory order of / = /3 is simply an integer h, will be denoted by m{f) = h. 

It is clear that Mf g is r- weakly invertible if and only A Mj is so, and all the 
problems on the weak invertibility of the separable memory FAs can be reduced 
to those of the input memory FAs. In order to understand the separable memory 
FAs, it is enough to understand the input memory FAs, so, in this paper we will 
mainly care about input memory FAs. 

Let F be the set of all possible input memory FAs with A = Y = F^ : 

F={f\f = f{t.h,---,t-i,to)--X^+'^^X,h>0,} 

Here t-i = (t_qi,t_q 2 , • • • , where t means the transpose, and t-i j is a 

variable taking the values from F. 

Let / = /(t_ft, • • • y = y{t-hp ■ ■ ■ ,1-1, lo) £ A. Dehne the product 

of / and g as 

fy = f{y{t-h-h',- ■ ■ ■ ■ Fo)) ( 2 ) 
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The FA Mfg is denoted by the notation C'(Mg, Mj) in [13]. For any state 

=Sfg,it is known [13] that 

s ~ {t, So) e Sf X Sg, (3) 

where 



So = • • -a_2a_i) e a'* = Sg 

t = Mg{a_h-h' ■ ■ ■a-h-2a-h-i)a-h ■ ■ -a-i ^ X'" = Sf 

hence Mfg is a sub-automaton of Mf x Mg. 

With the above multiplication and the usual addition, !F forms a quast-rmg, 
that is, these operations satisfy the laws of a ring except the right-distribution 
law. 

Let Mm,i{F) denote the set of all m x / matrices over F, similarly for 
Mm,i{F[z]) . . . etc. Under the mapping 

-■1 = E E Ait-i, VA e Mif(F[z]), where A,- £ Mif(F), 

0<i<r 0<i<r 

the matrix ring Mi i(F[z]) is embedded in F and becomes a subring of F, it is 
exactly the set of all linear FAs in F. to is the identity of F and will be identihed 
with the identity matrix I and written as 1 sometimes. Similarly, t-i can be 
identihed with the matrix and written as z® sometimes. 

More generally, let Fm,i be the set of input memory FAs whose output and 
input space have dimension m and I respectively, the set of linear FAs in Fm,i 
can be identihed with Mm,i{F[z]). We can similarly dehne products of elements 
of Fn^m and elements of Fm,i for any n, m, 1. In particular, elements in Fm,i 
can be multiplied by elements in Mn^m{F[z\) for any n, m, 1. So the boolean 
expression of an element / = ■ ■ ■ Fo) fz F can be written as: 

f = CT, UeM,.„(U[z]), T= (Ti,T 2,--- ,T„)‘ e (4) 

where Tp 1 < i < n, are distinct standard monomials, here by a standard mono- 
mial we mean a monomial of the form: 

n n 

0<* < 1 <j Kl 

such that there exists a j such that aoj F 0, where t°_i j = 1, i-i j = t-i.j- 



4 Right Weak Inverses and Mf -Equations 

In this section we study the problem of the existence of the right weak inverses 
and the problem of solving the equation determined by the operator Mf(s). 
The following Lemma 1 is critical in our studies. From Lemma 1 one may draw 
an analogy between a WIFA and a usual map, as it is well known that a map 
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between two finite sets of the same size is injective if and only if it is surjective. 
To start with, we need to introduce a notion which generalizes the surjectiveness 
of the usual functions. For a state s of M, we say M(s) is r-surjective if 

M(s)X^+^ = (M(s)X^) X X 

where M(s)X^ = {M(s)*|* £ X^},Mk > 1. 

Lemma 1 Let f ^ T, then f is r-weakly invertible if and only if Mj[s) is 
T-surjectwe for all s ^ Sj . □ 

Theorem 1 Let f E X , M* = (df, df, S'* , (i* , A*) be a r-weak inverse of Mj. 
Then M* is also a right r-weak inverse of f. Moreover, if [s* , s) is a r-pair in 
M* X Mf, let s** = S* {s*)Mf {s)M for an arbitrary X E X'^ , then (s,s**) is a 
natural r-pair in Mf x M* . □ 



Remark 1 Based on the above Theorem, we may concentrate only on the weak 
inverses. 

Theorem 2 Let f E X be weakly invertible with r{f) = r, and let M* = 
{X, X, S* ,S* , X*) be a r'—weak inverse of Mf, and let {s* , s) be a r' -pair in 
M* X Mf. Then 

1. The Mf — equation 

Mf (s)* = a, a = flofli • • • * = 

( 5 ) 

has a solution E Af’’"*"" if and only if agai ■ ■ ■ Or-i E Mf{s)X'^, and if 
it has a solution, then the first n inputs xqXi ■ ■ -Xn-i are uniquely deter- 
mined. 

2. If the equation (5) has a solution, then x is a solution if and only if it can 
be read out by applying M*{s*) on aX for some M E X'^ as follows: 

x_ = M* (s* )a*f 

where E X'^ is irrelevant data. □ 



In the sequel, a separable memory FA is denoted by the notation Mf zg 
naturally, where f E X and g E X . 

Theorem 3 1. For any f E X and g E X , the equation Mf zg[s, r)* = a is 

equivalent to the equation Mf[s)x_ = of, of = Mi-zg{r)a. 

2. Let f E X, T > r{f), Sf = X^ , s~ E X^~'^ , a E X" , then the equation 
Mf {s~ xf)x = a always has a solution xf x_ E A’’"*"". Moreover, the data 
xf x_ E A""*"’’ IS a solution if and only if xf x_ satisfies: 

Mf (If s~ )X ^ = cf a 
for some h E A^, cf E Mf {hf s~)X'^ . 
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3. Assume f = /2/1 and s is equivalent to the state (s2,si) G Sf 2 ^ Sfi 
(see (3)^, Assume is a T 2 -weak inverse of Mj^, and (s2,S2) « f2- 

pair in Mf x Mf^. Then * is a solution of the equation (5) if and only if 
it satisfies : 

a/ = Mf^ (si)®. 

where of is obtained as follows: 

= M;{s*2)a±^fi □ 

5 Constructing WIFAs 

Denote the set consisting of all possible weakly invertible elements in tF by tF* , 
and denote the set consisting of all possible r-weakly invertible elements in tF by 
T* . In this section, we study how to construct the elements in T* and how to 
construct their weak inverses and the related state pairs. The last problem will 
be considered in Theorem 4. As will be shown, there are two types of primitive 
weakly invertible elements, namely weakly invertible linear FAs and 0- weakly 
invertible FAs, they and their weak inverses can be constructed systematically 
(Theorem 5 and 6). More elements in T* can be generated with these two type 
of primitive elements by making (hnite number of) the multiplicative and some 
proper additive operations (Theorem 7 and 8). Note that 0- WIFAs have no 
contribution to the information delay in such constructions, it would be inter- 
esting if one can construct systematically nonlinear WIFAs with positive delays 
without using any linear FAs as ingredients, but it seems a hard task. 

In the sequel we denote the group consisting of all invertible I x I matrices 
over F[z] by GLi{F[z]), similarly for GLfiF) . . . etc. 

Theorem 4 Let M* = (A, A, S'* , d*. A*) be a r-weak inverse of f ^ F* , given 
a single r-pair (b*,b) in M* x Mj, for any state s G F^ = Sf in Mj, let 
s* = S*{b*)Mf{b)F^s, then (s*,s) is a natural t - pair in M* xM j , where 
and d = 0 if h > t and d=T — h if T>h. □ 



Remark 2 For any given IMFA Mj and its a r-weak inverse M*, in order to be 
able to construct a r-match for each of the states in Mf, it is enough to be able 
to construct only a single r-pair in M* x Mf according to the above Theorem. 



In order to describe all the linear elements in F * , we need the following kind 
of decompositions of matrices in Mi i{F[z]). For any 0 7^ 5 G Mi i{F[z]), by 
using the well-known algorithm [27] for transforming a matrix over F[z] into 
diagonal form, one can get a decomposition of B of the form as below. 



B = PDQ{1 - zb) 



( 6 ) 




234 



Z. Dai, D.F. Ye and K.Y. Lam 



where P G GLi[F[z]) , Q G GLi[F), h G Mi i[F[z]) and D is a I x I diagonal 
matrix determined by a tuple n = {no, ni, ■ ■ ■ , nr) of integers 

D — din(f {Irif, , zln,^ , Z Iri2 , ' ' ' , ^ ^Ur i On) 7 
n = l — ni, r > 0, > 0, n,- > 0 (i < r), 

0 < * < r 

where I„ is the n x n identity matrix, 0„ is the n x n zero matrix. The tuple n 
is uniquely determined by B and will be called the structure parameter of B. 
Theorem 5 [15, 16, 26] Let B E Mi i{F[z]) is of the form as in (6), then 

1. B IS weakly invertible if and only if det(5) 0, which is equivalent to 
^ — 'l2o<i<T 

2. If B IS weakly invertible, then t{B) = r, 

3. If t{B) = r, then MA,zb « r-weak inverse of B, where A = Q~^GF~^, 

G = z'^D~^; and ((0,0), 0) is a r-pair in MA,zb x Mb- n 



Theorem 6 Let f = /(t_/j,-- - ,t_i,to) £ IF, then f is 0-weakly invertible 
if and only if f{a-ti, '' ' ,bi~i,to) « permutation on X for each state s = 
(a_/i,-- - ,a_i) in Mf, and in this case, f can be expressed as the following 
form: 

f = '^ Ci[t-h,- ■ ■ ,t-i)Pi{to) 

l<i<n 

where n > l,Pi is a permutation on X, the coefficient Cift-h,''' ,t-i) « 

function taking the values in {0, 1} on the understanding that 0Pi{to) = 0, 
IPi(Io) = Pi(to), and Y)i<i<nCi{I-h, ■ ■ ■ ,t-i) = I(as integer sum), moreover, 
put 

/? = ^ Ci{u_h, - ■ ■ ,U-l)Pi{to)~^ 

l<i<n 

then the memory FA M{j3) is a 0-weak inverse of Mf, it has the same state set 
as Mf, and {s, s) is a 0-pair in M{j3) x Mf for any state s in Mf. In particular, 
the following three types of elements are all 0-weakly invertible: 1. permutations 
on X; 2. 1 + zk,k E T ; 3. 1 + UkV, where UV = VU = 0, U E Mif{F[z]), 
V E Mi i{F[z]), and k E IF . n 



It is known that T* is closed under the multiplicative operation, i.e., if 
fi E T*{i = 1,2), then / 2/1 E IF* ■ Moreover, we have 

Theorem 7 Let fi E IF , i = 1,2, then / 2/1 E IF* if and only if fi E IF* for 
i = I and 2, And in this case r(/j) < r(/ 2 /i) < r(/i) + r(/ 2 ), □ 

To describe the inverse of the composed FA Mf^f^, the following construction 
is useful. Given M = {X, X, S, S, A), let 

MP'i = {X,X,Sx {0,1,-- - ,r},(i(^),A(^)) 
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where 



(s, i)x = 



(s, i + 1), 0 < i < r 

((5(s,*),r), i = T 



and 



(s, i)x = 



0 e X, 
A(s,*), 



The following theorem is well-known: 



0 < i < r 

1 = T 



Theorem 8 Let fi ^ tF, i = 1,2, and M* be a Ti-weak inverse of Mj^, then 
X Mf IS a (ti + T 2 )-weak inverse of Moreover, for any state s in 

(® 2 , si) be the state in Mj^ x and equivalent to s (see (3), and let 
[s*,Si) be a Ti-pair in Mf x Mp, then ((s*,0),S2)) (s 2 ,si)) « (ft + T 2 )-pair 

in X Mf) X □ 

The next result shows that T* is closed under the operation adding the 
elements of the form g T . Lo see how the inverses of f g is related 

to that of /, we dehne the circle product of M = {X, Y, S, S, A) and Mg to be the 
FA MoM^ = {X,Y,S X Sg,S°,X°) where /3 = • • • ,m-i) 

is a function from x Y^ to Y, Sg = x Y^ , and for any state (sq, = 

{x-h, • • • , ®-i, y~k, • • • , y~i)) ^ S X Sg, and any input xq, the functions S° and 
A° are dehned as 



A°((so, fo), *o) = X{so,Xg{ro,xo)), 

S°{{so,ro),xo) = (d(so, A/3(ro, *o)), A/3(ro, A°((so, fo), *o))- 

Theorem 9 Let f E T* , and M* = (A, A, S'* , d* , A*) be a r-weak inverse of 
Mf, then 

1. f — g E T* for any g E X, moreover r(/ — = r(/), 

2. M* o Mf^ ^T+ig IS a T-weak inverse of f — g. For any state s in 

f — z^'^'^g, if fs* , s) IS a T-pair in M* X Mj , then [fs* , s) , s) is a t - pair in 
{M* o Mf„,g,i+Tg) X Mj_;,i+Tg, whcrc s is considered naturally also as both 
a state of Mt^^zi+rg and a state of Mf. □ 

6 Brief Introduction of FAPKC 

In this section we describe the scheme FAPKC [17, 18, 19, 20, 21] in terminologies 
developed above. 

Choose two elements /o and fi in X* whose weak inverses can be constructed 
easy, and let Mf be the constructed Tj-weak inverse of Mf^,i = 0,1. Choose 
g E X. Write / = fofi, t = ti + T'j, M* = M*^^°'^ x Mf (which is a r- 
weak inverse of Mf, see Theorem 8). Write h = hi + /i 2 , where hi = m{fi), 
k = m{zg). Choose (s, r) E X^ x X^ and (s',r') E X^ x X^ , let (s*,s)) be a 
r-pair in M* x Mf (see Theorem 8), and (s', s**) be a r-pair in Mf x M* (see 
Theorem 1). Write s' = hs~ , where h E A^, s~ E A^“^. Let / = CT be the 
boolean expression of / (see (4)). 
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The keys and the algorithm in FAPKC are as below: 

Public key: C ,T, g , s,r, s~ ,r' ,t . 

Private key: M*,s*,s**. 

Encrypting: Suppose p G A" is the plaintext sequence, select G df 

randomly, then the ciphertext is c = McT,g{s, r)px^ G A""*"’’. 

Decrypting : The plaintext p can be read out from the equation p = 

M* {s*)Mi-zg{r)c, where E is irrelevant data. 

Signing : Suppose m E X" is the message to be signed, select E X'^ 

randomly, then cT d= M* [s**)Mi-zg[r')nuX is the digital signature for m. 

Verifying signature: The receiver verihes whether McT,zg{s~ ,r')d = m. 

The receiver accepts cT d as the legal signature if the equality holds, and rejects 
it otherwise. 

Remark 3 In the proposed schemes [17, 18, 19, 20], there are some restrictions 
on choosing the partial state s~ . These restrictions are not necessary in order to 
make the algorithm work, so all these restrictions have been deleted in the above 
description. 

Now we list the keys which are proposed in [17, 18, 19, 20, 21] as follows. 
Form 1 [17, 18]: fo is linear, r(/i) = 0. 

Form 2 [19]: fo is linear, t(/i) > 0, has a weak inverse of the form MA,zk 
with A E Mi i{F[z]), I = 8 and 

T = {to, 1 , to, 2 , ■ ■ ■ ,to, 8 ,to,lt-l,l,to, 2 t-l, 2 , ■ ■ ■ , (7) 

Form 3 [20]: fo is linear, I = m = 8, m{T) = 2 (the memory order of T), 
To = 7, Ti = 8, ho + hi < 20, but no examples for fi are given in [20]. 

Form 4 [21]: fo = BoPoQoJi = BiPiQi or /i = Bi, where 5,- £ M;_;(T[z]), 
Qi E Mi i{F), each Pi is a permutation on V and is determined by a exponen- 
tial function of the form which is dehned over GF(2‘), where GF(2‘) is 

identihed with V = TMu a natural way. 

As the outer component fo is nonlinear, the composition fofi causes an 
exploding boolean expression, though the nonlinear degree of fo is just 2. In 
order to keep the public key size tolerable, the parameters have to be very small. 
The following table is copied from [21] to illustrate the suggested parameters and 
the corresponding public key sizes, where tq < /iq = m(/o),ri < h\ = m(/i), 
NiiN'j) is the corresponding public key size when fi is linear (nonlinear). 



1 


7 


7 


5 


5 


3 


3 


3 


{ho, hi) 


(1,14) 


(7,8) 


(1,19) 


(10,10) 


(1,34) 


(10,25) 


(17,18) 


Ni (Bits) 


8281 


32948 


4075 


20950 


1593 


8883 


13041 


#2 (Bits) 


105840 


414512 


29850 


181725 


5400 


34560 


51192 



































Weak Invertibility of Finite Automata and Cryptanalysis on FAPKC 



237 



Remark 4 In describing the basic algorithm of FAPKC3, it is stated in the 
section 3 of [20] that the outer component automaton of the public key is a 
memory finite automaton, which is not neccessarily restricted to be of the above 
form 3. In this paper, we consider only the latter (i.e., form 3) which is stated in 
the Section ] of [20] in describing an implementation of FAPKC3, because in [20] 
there is neither an example nor suggested parameters for the former except the 
form 3. We guess it is hard to give such an example with a tolerable public key 
size. 



It was shown that the encrypting is insecure when the key is of the form 1 
in [23] and of the form 2 in [25]. It was shown in [26] that both the encrypting 
and signing are insecure when the key is of the form 2 without the restriction (7). 



7 Cryptanalysis on FAPKC 

In this sectin we keep the notations in the last section, and consider the following 

Problem 1 How to decode the ciphertexts and how to forge the signatures with- 
out knowing the private key of FAPKC? 



We will show Problem 1 can be solved for any one of the keys of the form 
1-4 listed in the last section, and also for the keys of the form 2 without the 
restriction shown in (7). 

To decode the ciphertext is exactly to solve the equation Mfzgfs, r)pK = c G 
A'""*"’’ (where pK are unknowns), which is reduced to the equation Mj[s)px] = 
c', where c' = Mtg-zg{r)c according to Theorem 3. 

To forge a signature is exactly to solve the equation Mf zg{s~ d] , r')d = m 
(where cF d are unknowns), which is reduced to the equation Mf {s~ cF)d = 
nf ,m[ = Mi-zg{r')ni according to Theorem 3 1., and further to Mf {h] s~)d] d = 
c[ nf according Theorem 3 2.. Therefore Problem 1 is reduced to 

Problem 2 How to solve the Mf -eguation of the form (5) for f = fofi ? 



The following theorem shows that /, as an arbitrary element in T * , has a 
routine decomposition which will be used to reduce Problem 2. We’ll say two 
elements / and g in T are similar if there exists G G GLi (T [z] ) such that / = Gg , 
written as f ZzL g. 

Theorem 10 Assume f = GT G F * , G G Mi n {P[z]), then 

1. Using the well-known method [27] to transform a matrix over F[z] to a 
diagonal form, we may get 



G = B{I,0)Q,B e Mif{F[z]),det{B) ^ 0, Q e GT„(T[z]), (8) 
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where (/, 0) is a matrix of size I x n, I is the identity matrix of I x I and 
0 IS the zero matrix of size I x [n — 1), let f^ = (/, Q)QT , then f = Bf^ , 
where f^ is uniquely determined up to the similarity. 

We’ll call f^ the T-nonlinear factor of f, and call B the T -linear factor 

of f- 

2. For any weakly invertible linear A (2 T , denote the T-nonlinear factor of 
Af by (Af)^ , then (Af)^ ~ and r((yl/)^) = r(/^) < r(/), □ 

From Theorem 10 and Theorem 7 we get 

Corollary 1 Let f^ be the T-nonlinear factor of f defined as in Theorem 10, 
then T[f^) < Ti for any one of the keys of the forms 1-4 listed in the last 
section, and also for the keys of the form 2 without the restriction shown in (7). 
□ 



Notice that the weak inverses of the linear factor of / is easy constructed (see 
theorem 5), so basing on Theorem 10 and Theorem 3 3., Problem 2 is reduced 
to 

Problem 3 How to solve the equation of the form Mj:n{s)x = a, a ^ N""*"’’, 
n > 1 (where f^ is the T-nonlinear factor of f defined as in Theorem 10) ? 



One may try to solve Problem 3 case by case by means of the divide-and- 
conquer searching method, or according to Theorem 2 try to solve it systemati- 
cally by solving the following 

Problem 4 How to construct a t' -weak inverse of Mf or Mjn (where t' can 
be chosen arbitrarily)? 



Problem 4 can be solved if we can decompose / or f^ into a product of 
several FAs each of which can be inverted. It is the case when the key is of 
the form 2 without the restriction (7), as shown in the following theorem, which 
characterizes the so-called quasi-linear elements dehned as below. 

Definition 1 The element f in T is called quasi-linear if Mf has a weak inverse 
of the form MA,zk with A E Mi i[F[z]), k E F. 



Theorem 11 Let f E F* , then 

1. f IS quasi-linear if and only if f has a decomposition: 

/ = 5(1 - zg),BE Mif{F[z]),det{B) ^0,gEF (9) 

As a consequence, if f is quasi-linear, so is Af for any A E Mi i{F[z]), 
det(A) 7 ^ 0. 
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2. If f IS quast-lmear, then its a decomposition f = B{l — zg) of the form (9) 
and its a weak inverse can be obtained easy from its boolean expression f = 

CT as follows. Assume T = ^ ^ Mi n[F[z\), correspondingly write 

C={Co, a), Co e Miq{F[z]),a e Mi^r._i{F[z]). Let Co = PDQ(I - zb) 
be a decomposition of Co of the form (6), and let A = z'^Q~^D~^F~^, 
then A C Mi i{F[z]) and AC = H for some H C Mi „-i{F[z]). Let 
g = b — HT' , B = PDQ. Then f = 5(1 — zg), and Ma^zq « r-weak 
inverse of Mf. □ 



We claim that Problem 3 can be solved case by case practically by means of 
the divide-and-conquer searching method when the key is any one of the form 
1-4 listed in the last section. To see this, we consider how large /t(/) should 
be in order to resist the devide-and-conquer searching attacks on the equation 
of the form (s)*""*"’’ = a , a G A'""*"’’. Let’s see at hrst how to estimate the 
actual complexity of such an attack. For plain exhaustive searching, an obvious 
upper bound is , but the exact bound may be much smaller. When / 

is linear, the logarithm of the bound to base 2 can be expressed by its struc- 
ture parameters dehned in section 5, and the mean value for this expression is 
lilAlLDl^ There are no strong reasons why exhaustive searching with a nonlinear 
FA should be much harder than with a linear one. So, that we use 
to estimate the complexity of the devide-and-conquer searching type attacks is 
not too pessimistic. Thus to resist such attacks to Problem 3, we should require, 
say, ^ > 60. Basing on Corollary 1, the parameter for any 

one of the keys of the forms 1-3, and for any one of the suggested keys of the 
form 4 is estimated as below, and one can see that non of them meets the bound 
60. 

1 
2 
3 



1 


7 


7 


5 


5 


3 


3 


3 


{ho, hi) 


(1,14) 


(7,8) 


(1,19) 


(10,10) 


(1,34) 


(10,25) 


(17,18) 


hi+c/’C) 

2 


52.5 


31.5 


50 


27.5 


52.5 


39 


28.5 



. When the key is of the form 1 and the form 2, ^ = 4. 

. When the key is of the form 3, ^ = 36 

. When the key is of the form 4, the parameter — 11 is shown in the 

following table for the suggested parameters. 



From the above cryptanalysis of this section, we see all the keys proposed 
in [17, 18, 19, 20, 21] for FAPKC are insecure both in encrypting and signing. 
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Abstract. Multireceiver authentication codes allow one sender to con- 
struct an authenticated message for a group of receivers such that each 
receiver can verify authenticity of the received message. In this paper, 
we give a formal definition of multireceiver authentication codes, derive 
information theoretic and combinatorial lower bounds on their perfor- 
mance and give new efficient constructions for such codes, our construc- 
tions are based on the linear error-correcting codes. 



Multireceiver authentication codes (MRA-codes) 0 extend Simmons’ model of 
unconditionally secure authentication m- In an MRA-code ^ , a sender wants 
to authenticate a message for a group of receivers such that each receiver can 
verify authenticity of the received message. Receivers are not trusted and may 
try to construct fraudulent messages on behalf of the transmitter. If the frau- 
dulent message is acceptable by even one receiver the attackers have succeeded. 
This is a useful extension of traditional authentication code and has numerous 
applications. For example a director wanting to give instructions to employees in 
an organisation such that each employee is able to verify authenticity of the mes- 
sage. Providing such service using digital signature implies that security relies on 
unproven assumptions and the attackers have finite amount of computational re- 
sources. In unconditionally secure model, there is no computational assumptions 
or limitations on the attackers’ resources. 

A multireceiver A-code can be trivially constructed using traditional A-codes: 
the sender shares a common key with each receiver; to send an authenticated 
message it constructs n codewords, one for each receiver, concatenates them 
and broadcasts the result. Now each receiver can verify its own codeword and 
so authenticate the message. In this construction collaboration of even n — 1 
receivers does not help them in constructing a message that is acceptable by 
the receiver simply because the n codewords are independently constructed. 
If we assume that the size of the malicious groups cannot be too large, for 
example the biggest number of collaborators is w — 1 (where w < n), then we 
can expect to save on the size of the key and the length of the codeword because 
codewords can have dependencies. This is the basis of attempting to construct 
codes that are more efficient than the trivial one. The first two constructions of 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 242-|^^^ 1998. 
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{w,n) MRA-codes, given in 0, are based on polynomials over finite fields and 
finite geometries. DFY description of MRA-codes is basically a definition of its 
functionality: that is the way the code works. Kurosawa and Obana (KO) m 
studied (w, n) MRA-code, derived combinatorial lower bounds on the probability 
of success in impersonation and substitution attacks, and characterised Cartesian 
MRA-codes that satisfy the bound with equality. 

In this paper we start by giving a more general definition of MRA-codes which is 
a natural generalisation of KO’s definition. Next we derive the first information 
theoretic bounds on the probability of success in impersonation and substitution 
attacks. The bounds are used to obtain combinatorial bounds on the the number 
of keys of the transmitter and receivers and also the size of the tag. These latter 
bounds are generalisations of KO bounds to MRA-systems that are not perfect. 
Finally, we present two new constructions for MRA-codes using linear error- 
correcting codes (E-codes). The constructions are particularly important because 
they give MRA-codes from arbitrary E-codes and can be seen as extension of 
Johansson et al jO] work relating E-codes and A-codes. This established link 
allows us to apply bounds and constructions from the well-developed discipline 
of E-codes to the construction of new MRA-systems. Using maximum distance 
separable codes in the first construction, and special values for parameters in 
the second, results in new optimal MRA-codes that satisfy lower bounds on the 
size of keys and the tag. Besides DFY’s original polynomial construction, these 
are the only other known optimal constructions for MRA-codes. 

The paper is organised as follows. Section Q provides basic definitions and re- 
views known results. In section |2| we define MRA-codes and derive information 
theoretic and combinatorial bounds. In section |3 we first recall DFY polyno- 
mial construction and then propose two efficient constructions from linear error- 
correcting codes. Finally in Section 0 we summarise our results. 

1 Preliminaries 

In Simmons’ model of unconditionally secure authentication there are three par- 
ticipants: a transmitter {sender), a receiver, and an opponent. The transmitter 
and the receiver share a secret key and are both assumed honest. The message 
is sent over a public channel which is subject to active attack. Transmitter and 
receiver use an authentication code which is a set of authentication functions /, 
indexed by a key belonging to a set E. To authenticate a message called a source 
state and denoted by s S S', using a key e, transmitter forms a codeword /(e, s) 
and sends it to the receiver who can verify its authenticity using his knowledge 
of the key. 

Definition 1. An authentication code C is a 4-tuple {S, M, E, f), where f is a 
mapping from S x E to M , 



f-.SxE 



M 



such that f{s,e) = m and f{s',e) = m imply s = s'. 
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In a systematic Cartesian A- code the codeword corresponding to a source state 
s using e £ E \s the concatenation of s and an authentication tag t G 1~, that is 
m = (s,t)- The receiver will detect a fraudulent codeword (s,t) if the tag that 
it calculates for s using its secret key e is different from the received tag t. 

The opponent can perform an impersonation, or a substitution, attack by con- 
structing a fraudulent codeword and succeeds if the codeword is acceptable by 
the receiver. In impersonation the attacker has not seen any previous communi- 
cation while in substitution he has seen one transmitted codeword. A code provi- 
des perfect protection against impersonation if enemy’s best strategy is randomly 
guessing a codeword. In the case of Cartesian A-codes, enemy’s probability of 
success is Pi = -pj=|. Perfect protection for substitution is defined in a similar 
way, it requires the enemy’s best strategy to be randomly selecting one of the 
remainder codewords. For Cartesian A-codes the probability of success of the 
intruder must be Pg = |^. 

An extension of this model, proposed by Desmedt, Frankel and Yung (DFY) 
P], is when there are multiple receivers. The system works as follows. First the 
key distribution centre(KDC) distributes secret keys to the transmitter and each 
receiver. Next the transmitter broadcasts a message to all the receivers who can 
individually verify authenticity of the message using their secret key information. 
There are malicious groups of receivers who use their secret keys and all the 
previous communications in the system to construct fraudulent messages. They 
succeed in their attack even if a single receiver accepts the message as being 
authentic. 

KO formalisation of (w,n) MR A-codes is as follows. Let E\, E 2 -.,En denote 
the set of decoding rules of receivers Pi, • • • P„, and S and M denote the set of 
source states and senders codewords, respectively. 

Definition 2. m) We say that {S, M,E\, - ■ ■ En) is a (w,n) multireceiver 
A-code if for \/{Ei,^, ■ ■ ■ Pi„) and V(ei, • • • e„,), 

\ ^ii 5 * * * ^w—1 ) ) • 

The probabilities of impersonation and substitution attacks, Pj and Pg, for 
{w, n) MRA-code are then defined as the best chance of success in impersonation 
and substitution attacks, respectively, against a single (arbitrary) receiver. 

With these definitions, they derived the following bounds. Assume q— iMj/IPj. 
Theorem 3. (Theorem 9 flOl/) In a (w,n) MRA-code, Pi > 1/ The equality 
holds if and only if P{Ri^, . . . , Ri^ accept m) = Ifq and P{Rj accepts m) = 1/ ^ 
for any m and any Rj . 

Theorem 4. ( Theorem 10 m) In a (w, n) MRA-code without secrecy, if Pi = 
1/ then Pg > 1/ i(/q. The equality holds if and only if 

P{Rn,... , Ri^. accepts m'\Ri ^ , • ■ ■ , Pi*, accepts m) = 1/q 

P{Rj accepts m'\Rj accepts m) = 1/ ^ 

for yRj,ym and Vm' such that the source state of m is different from that of 
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Theorem 5. (Theorem 11 m) In a {w,n) MRA-code without secrecy, if Pj = 
-Ps = 1/ v/?) then \Ej\ > ( for \/j. If the equality holds, then each rule of 
Ej is used with equal probability. 

KO characterised Cartesian MRA-codes that satisfy Pj = Ps = 1/ ^ and 
observed that DFY polynomial construction is in fact an optimal construction 
and has the least number of keys for the transmitter and the receivers and 
requires the smallest tag size for the authenticator. 

Definition El only requires that the set of keys for any set of w receivers be inde- 
pendent. This property ensures that the probability of success in impersonation 
attack by any ic — 1 receivers against a single other receiver is the same as that 
by an (outside) opponent. However, it does not imply a similar property for sub- 
stitution, as will be shown in Example ^ (Contrary to KO’s claim in page 207 
PUj.! We give a more general definition for MRA-codes that has KO’s definition 
as a special case, and derive information theoretic combinatorial lower bounds 
on Pj and Ps for such codes. These are the first information theoretic bounds 
for MRA-codes. 

2 Model and Bounds 

An MRA-System has three phases: 

1. Key distribution: The KDC (key distribution centre) privately transmits 
the key information to the sender and each receiver (the sender can also be 
the KDC). 

2. Broadcast: For a source state, the sender generates the authenticated mes- 
sage using his/her key and broadcasts the authenticated message. 

3. Verification: Each user can verify the authenticity of the broadcast mes- 
sage. 

Denote by Ai x • • • x A„ the direct product of sets Ai, . . . and by pi the 
projection mapping of Ai x • • • x A„ on Xi ( i.e., pi : Xi x ■ ■ ■ x Xn — ^ Xi 
defined by pi{xi,X2, ■ ■ ■ ,Xn) = Xi). Let gi : Xi — > Yi and 52 : X2 — > Y2 
be two mappings; we denote the direct product of gi and 32 by gi x g2 (i.e., 
gi X g2 ■■ Xi X X2 — )> Yi x Y2 defined by gi x 32(2:1, X2) = (31(2:1), 32(a:2))). The 
identity mapping on a set X is denoted by lx ■ 

Definition 6. Let C = {S, M, E, f) and Ci = {S, Mi, Ei, ff), i = 1,2, ... ,n be 
authentication codes. We call {C;Ci,C' 2 , . ■ . , Cn) a multireceiver authentication 
code (MRA-code) if there exist two mappings t : E — > E\ x ■ ■ ■ x En and 
TT : M — > Ml X ■ ■ ■ X Mn such that for any (s,e) G S x E and any 1 < i < n, 
the following identity holds 

p,(7r/(s, e)) = /i((ls X p^T){s, e)). 

Let Ti = piT and = p^tt. Then we have for each (s,e) G S x E 

T^if{s,e) = f^{ls X Ti){s,e). 
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We assume that for each i the mappings : E — > Ei and : M — > Mi are 
surjective. We also assume that for each code Ct the probability distribution on 
the source states is the same with that in the A-code C, and the probability 
distribution on Ei is derived from that of E and the mapping r^. 

Let T denote the sender and Ri,. . . ,Rn denote the receivers. In order to aut- 
henticate a message, the sender and the receivers follow the following protocol. 

1. The KDC (or the sender) randomly chooses a key e G E and privately trans- 
mits e to T and = TTi{e) to the receiver Ri for all 1 < i < n. 

2. If T wants to send a source state s S S' to all the receivers, T computes 
m = f{s, e) G M and broadcasts it to all receivers. 

3. Receiver Ri checks whether a source state s such that fi{s,ei) = TTi{m) 
exists. If such an s exists, the message m is accepted as authentic. Otherwise m 
is rejected. 

We adopt the Kerckhoff principle that everything in the system except the actual 
keys of the sender and receivers is public. This includes the probability distribu- 
tion of the source states and the sender’s keys. From Definition 0 we know that 
the probability distribution of the sender’s key induces a probability distribution 
on each receiver’s key. 

Attackers could be outsiders who do not have access to any key information, or 
insiders who have some key information. We only need to consider the latter 
group as it is at least as powerful as the former. We consider the systems that 
protect against the coalition of groups of up to a maximum size of receivers, and 
study impersonation and substitution attacks. 

Assume there are n receivers i?i, . . . , i?„. Let L = {ji, . . . C {1, . . . , n}, E^ = 
Ei^ X • • • X Ei^ and Rl = {Ri ^ , • • • , Ri^}- We consider the attack from Rl on a, 
receiver Ri, where i ^ L. 

Impersonation attack: Rl, after receiving their secret keys, send a message m to 
Ri- Rl is successful if m is accepted by Ri as authentic. We denote by Pi[i,L] 
the success probability of Rl in performing an impersonation attack on Ri. This 
can be expressed as 

Pi[i, L] = max P{m is accepted hy Ri \ Cl) 

m^M 

where bl G El- 

Substitution attack: Rl, after observing a message m that is transmitted by the 
sender, replace m with another message m' . Rl is successful if m' is accepted 
by Ri as authentic. We denote by Ps[i,L], the success probability of Rl in 
performing a substitution attack on Ri. We have, 

Ps\i,L]= max max max accepts m'|m, cl) 

m^M 

The following two bounds are generalisation of Simmons ’ca bound and Brickell’s 
bound j2], when attack is from a group of insiders who have access to part of 
the key information. 
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Theorem 7. Let Pi[i,L] and Ps[i,L] be defined as above. 

1. Pi[i,L] > 

2. Ps[i,L] > 

Proof is omitted due to the lack of space, and it can be found in m 

Corollary 8. 

Ps[i,L] > 

Proof. The corollary follows from TheoremQby noting that I{M'\ Ei\M, El) = 

H{E,\M,El)-H{E,\M\M,El). 

A (w,n) MRA-eode is an MRA-code in which there are n receivers such that 
no set of tc — 1 receivers can construct a fraudulent codeword acceptable by 
another receiver. We note that in this definition, the only requirement is that 
the chance of success of the attackers is less than one but it is possible that 
some coalition of attackers can have a better chance of success than an outsider. 
A (w,n) MRA-code is perfect against impersonation if the chance of success of 
any group of up to w — 1 receivers in an impersonation attack is the same as 
an outsider. Similarly a (w, n) MRA-code is perfect against substitution if the 
chance of success for any group of up to in — 1 receivers in a substitution attack 
is the same as an outsider. 

Let (C; Ci, . . . , C„) be an MRA-code. Define Pj and Ps as follows. 

Pi = max {Pi[i,L]} 

Lu{i} 

Ps = max {Ps[i,L]} 

LU{i} 

where the maximum is taken over all possible w-subsets L U {*} (i ^ L) of 
{1,2,..., n}. In other words, Pj and Ps are the best chance of a group of w — 1 
receivers to succeed in impersonation or substitution attacks against a single 
receiver, respectively. 

Let Pi[i] and Ps[*] denote the success probabilities for an outsider in imperso- 
nation and substitution attacks, respectively. Then 

Pi\i] = max P(Ri accepts m) = max Pin Am) is valid in CA 

m^M m^M 



Ps[i] = max P{Ri accepts m' | m is valid in C) 

m' 

= max P(ni(m') is valid in | m is valid in C) 

Thus a (w, n) MRA-code is perfect against impersonation if and only if Condition 
(a): Pi[i,L] = Pi[i] holds; and it is perfect against substitution if and only if 
Condition (b): Ps[i,L] = Ps[*] holds. 
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Lemma 9. A sufficient condition for a (w,n) MRA-code to be perfect against 
impersonation is that P{ei\eL) = P{ei) for all w-subsets L U {i} (i ^ L) of 

Proof is given in the Appendix I. 

It should also be noted that an (u>, n) MRA-code which is perfect for imperso- 
nation is not necessarily perfect for substitution, as the following example shows. 



Example 1. Similar to the DFY polynomial scheme, the sender randomly choo- 
ses two polynomials f{x),g{x) of degree at most w — 1 and secretly trans- 
mits f{i),g{i) to receiver Ri {i ^ 0). For a source state s £ GF{q) the sen- 
der calculates h{x) = f{x) + sg{x) and broadcasts {s,g{0),h{x)). Each recei- 
ver Ri can verify the authenticity of the broadcasted message by checking if 
h{i) = f{i) + sg{i). Now for any group of rc — 1 receivers L = {Pij, . . . , 
and i ^ L, Pj[i,L] = 1/q, since L has not information about the key {f{i),g{i)) 
of Ri- But, Ps[i,L] = 1, since, after seeing the broadcasted message, L can cal- 
culate /(O) = h(0) - 55 ( 0 ), so L knows (f{ii),g{ii)), {f{ini-i),g{iw-i)) and 
(/(0),g(0)). Thus L can calculate f{x) and g{x), and so Ps[i,L] = 1. 

We define the deception probability of a {w, n) MRA-system as Pjj = max{P/, Pg}. 

Theorem 10. Let (C; Ci, . . . , C„) be a {w,n) MRA-code. Assume that Pd < 
1/q and suppose there is a uniform probability distribution on the source states 
S. Then 

(i) \Ei\> q^ , for each i ^ {1^ ... . 

(ii) \E\ > 

(ill) \M\ > 

The bounds are tight and there exists a system that satisfies the bounds with 
equality. 

Proof is given in the Appendix I 

Comparison of the bounds with KO’s bounds: Theorem II l)l gives combi- 
natorial bounds for general {w, n) MRA-codes on the size of the transmitter and 
receivers’ key when probability of deception is known. It also lower bounds the 
required redundancy in terms of the deception probabilities. KO’s bounds only 
apply to (w,n) MRA-codes that are perfect against impersonation and can be 
seen as special cases of the combinatorial bounds derived above. Appendix II we 
give a more detailed comparison of the two sets of bounds. 

3 Constructions 

DFY |E] gave two constructions for MRA-codes: one based on polynomials and 
the other based on finite geometries. KO showed that the polynomial construc- 
tion is optimal and has the minimum number of keys for transmitter and re- 
ceivers (Theorem 9 and 11 in ^01 and produces the shortest length tag for the 
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codewords. No other optimal construction is known so far. In this section we 
use error correcting codes (E-codes) to construct MRA-codes. First, we present 
two constructions which can be used to derive an MRA-code from an arbitrary 
E-code and then show that the constructions result in new optimal MRA-codes. 
An linear [n, k] code C over GF{q) is a linear subspace of GF{q)^ with dimension 
k. The minimum distance dc of C is defined by dc = mino^ueC tti(u), where 
tc(u) is the number of nonzero coordinates of u. A fc x n matrix G over GF{q) 
is called a generator matrix of G if its row vectors generate the linear subspace 
C. For a linear code G its dual code, denoted by C-*-, is defined by 

C-L = {u e GF(g)"; uv^ = 0 for all v G G}. 

We briefly recall DFY’s polynomial construction as it makes it easier to describe 
Construction I. 

DFY polynomial construction: Assume there is a sender T, and n receivers 
Ri, . . . ,Rn- The key for T consists of two random polynomials Po{x) and Pi{x), 
of degree at most w — 1, with coefficients in GF{q). The key for Ri consists 
of Po{i) and Pi{i). For a source state s G GF{q), T broadcasts (s, A(a;)) where 
A{x) = Po{x)+sPi{x). Ri accepts (s,A(a:)) as authentic if A(i) = Po(*)+s^’i(*)- 
It is proved in ^ that no group of w—1 receivers can perform an impersonation or 
substitution attacks against a single receiver, with a probability greater than 1/q, 
the construction provides the following parameters Pi = Ps = 1/q, \Ei\ = 
for all 1 < z < n, \E\ = q^'" and \M\ = g’"|5|. 

3.1 Construction I 

Let G be a linear [n, k] code over GF{q) with a generator matrix G G GF{q)^^'^. 
We construct an MRA-code with n receivers from G in the following way. Assume 
that S = GF{q) is the set of source states and G is publicly known. 

1. Key distributionT randomly chooses {a, P) G GF(g)*xGF(g)^, where a, /3 G 
GF{q). T then calculates the codewords aG = u = {ui, . . . ,m„) and /3G = 
V = (rii, . . . ,Vn), and privately transmits (ui,Vi) to the receiver Ri for each 
1 < z < n, which consists of the secret key of Ri. 

2. Broadcast To authenticate a message s G S', the sender T computes 7 = 
a + sP and broadcasts ( 3 , 7 ) to all the receivers. 

3. Verification For each z, Ri accepts (s, 7 ) as authentic if yi = Ui + svi, where 

y = = iG. 

Lemma 11. In the above construction, let the probability distribution on the 
source and sender’s key space be uniform. Let L = {ii, . . . ,ie} C {!,..., zz} 
and i ^ L. Then Pj[i,L] = Pg[i,L] = - if and only if there exists a codeword 
c = (ci, . . . , c„) G G such that Ci,, = • • • = = 0 and Ci = 1. 

Proof (Sketch) 

Sufficiency: Assume that there exists a codeword c G G satisfying the required 
property of the theorem. Let u = aG, v = /3G, where (a, P) is the key chosen 
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by the sender T. Because of the linearity of the E-code, we know that for any 
t,t' G GF{q) we have u -|- tc,v -|- t'c G C. Since Rl have the key information 
((uii, . . . (wii, . . . ,Vif)), then for all t,t' G GF{q) {ui^, . . . ,Ui^,Ui + t), and 
. ,Vif.,Vi + t') produce all possible keys of i?Lu{i} ■ It follows that Rl have 
no information about key, and hence Pi[i, L] = Pg[i, L] = I. 

Necessity: Assume that there is no codeword c in C satisfying the required 
property of the theorem. We prove that and ... ,Vi^) uniquely 

determine Ui and Vi. Clearly, there exist Ui and Vi such that (rtij, . . . 
and . . . ,Vi^,Vi) are subcodewords of C. We only need to show that such 
Ui and Vi are unique. Indeed, if there exist two subcodewords . . . ,Uif.,Ui), 
(■Ujj, . . .,Uif.,u'i) in C, it follows that . . . ,u^f,ui)-(ui^, . . . ,Ui^,u'^ = (0, . . . ,0, 
Ui—u'i) is also a subcodeword in C, and so is (0, ... , 0, 1), which is a contradiction. 
In this case we have Pi[i,L] = Ps[i,L] = I, proving the necessity. 



Theorem 12. Let G be a linear [n,k] code over GF{q) and let d' he the mini- 
mum distance ofG'^, the dual code of G . Then Construction I results in a (w,n) 
MRA-code with Pj = P$ = 1/q, w = d' — 1 <k, and the following parameters: 

1^1 = g, \M\ = \E\ = and \E,\ = q\ 

Proof. We show that the resulting MRA-code is a (d' — l,n) MRA-code, but 
not a (d',n) MRA-code. Let G be a generator matrix of G, and let d' be the 
minimum distance of C^. Recall m that G"’“ has the minimum distance d' 
if and only if every d' — 1 columns of G are linearly independent and some 
d' columns of G are linearly dependent. For each d' — 1 columns, indexed by 
{ii , . . . , id'- 2 , i}, the restriction of G to these d' — 1 columns results in a fcx (d' — 1) 
matrix It follows that G GF{qY can be expressed as a linear 

combination of the k rows of where Cj G GF{q)‘^ is the vector 

with the ith entry being 1 and other entries being 0. This implies that there exits 
a codeword c = (ci, . . . ,c„) G C such that = . . . = = 0 and Ci = 1. 

Thus, by Lemma we have Pi[i,L] = Ps[i,L] = 1/q for any d' — 1 subset 
{i}U L of {1, . . . , n} with i ^ L, and so the resulted MRA-code is a (d' — 1, n) 
MRA-code with Pj = Ps = 1/q. In a, similar manner, we can prove that there 
exists a d'-subset LU {i} of {1, . . . , n} such that Pi[i, L] = Ps[i, L] = 1, so it is 
not a (d',n) MRA-code. 

In general the MRA-code derived from an E-code is not optimal and does not 
satisfy bounds in Theorem m In the following we will show that for a well-known 
class of E-codes the construction results in optimal MRA-codes. 

A maximum distance separable (MDS) E-code has maximum possible minimum 
distance and its parameters satisfy dc = n — k + 1. We are only interested in 
linear MDS codes. An important property of MDS codes is given in the following 
theorem. 

Theorem 13. (Theorem 2 page 318 in I / /j/ ) If C is MDS so is the dual C'^ . 
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This means that for an MDS code d' = n — {n — k) + 1 = k, or k = d' — 1. 
That is the resulting {w, n) MRA-code can protect against the largest size set 
of cheaters. Using this result and theorem o it is straightforward to prove the 
following. 

Corollary 14. If the linear code C in Construction I is an [n, k] MDS code 
over GF{q), then Construction I results in an optimal (k,n) MRA-code with 
Pi = Ps = 1/<Z- It has the following parameters 

1^1 = g, \M\ = \E\ = and \E,\ = q\ 

A special class of MDS codes are Reed-Solomon code with the following generator 
matrix, 

... 1 ■ 

• • • Xn 

; 

. . . 

■''ra 

where the Xi are n distinct elements in GF{q). 

Corollary 15. If the linear code G in Construction I is an [n, fc] Reed-Solomon 
code, then Construction I coincides with DFY’s construction. 



G = 



1 

Xi 



1 

X2 



'W—l 1 



3.2 Construction II 

Construction I can be seen as a generalisation of DFY’s construction. Construc- 
tion II is based on the properties of the dual code and can be used for large size 
sources which makes it of practical interest. We first describe the construction 
and then discuss its properties. 

The basic idea is to use vectors of dual code for verification process. The sender’s 
secret key is an x ic matrix U which defines the generator matrix G = [Ii \ U] 
of a linear code. To authenticate a source state s G S the sender generates the 
codeword c = sG and broadcasts it to the receivers. Each receiver Ri has a 
codeword di of the dual code. To verify authenticity of a broadcasted vector x, 
receiver i?, calculates x ■ di { denotes vector inner product) and if it is zero, 
it accepts the codeword as authentic. 

Let S C GF{qY denote the set of source states obtained by defining an equi- 
valence relation ~ over GF{qY\{0} as follows: s ^ s' s = rs' for some 

0 yf r G GF{q). It is easy to verify that this relation is in fact an equivalence 
relation. We define S as the set of equivalence classes obtained from It follows 
that |5| = ^ = = --- + q+l. 

The three phases of Construction II are as follows. 

1. Key distribution The sender T randomly chooses an £ x w matrix G G 
GF(g)^’"")(and so [h \ U] is the generator matrix of a linear [£ -\- w,£] code 



252 



R. Safavi-Naini and H. Wang 



in its systematic form). Assume that q > n (this assumption is not neces- 
sar £) . T chooses n distinct elements xi, . . . , S GF{q){ these elements are 
public and are used as the identities of the receivers), and then calculates 
and secretly transmits t/(l, . . . , = 0^6 GF{q)^^^ to Ri, which 

consists of the secret key of Ri,i = 1 , ■ • ■ , u. 

2. Broadcast To authenticate a source state s = (si, . . . , s^) G S, T computes 
sU = t = (ti, . . . ,tw) G GF{q)'^ and broadcasts (s,t). 

3. VerificationFor each i, Ri accepts (s,t) as authentic if sa^ = t(l,Xi,. . .xj"“^)^. 

Theorem 16. Construction II results in a (w,n) multireceiver A-code with 
Pj — Ps = !/<?• It has the following parameters 

\S\=^^, \M\ = q^\S\, and \Ei\ = q^. 

9-1 

Proof. First, we prove that Pj = Ps = l/q. It is sufficient to show that for each 
L C {1, . . . ,n} with \L\ = w — I and i ^ L, Pi[i,L] = Ps[i,L] = 1/q. Without 
loss of generality, assume that L = {1, ... ,w — 1} and i = w, and that after the 
key distribution Rl hold their keys 

C/(l,Xi, . . . ,x““^)^ = tti, C/(l,x„,_i, . . . ,x“l()^ = 



Let 

F = {U G GF{qY^'-; t/(l, Xi, . . . , = «i, ..., C/(l, x^_i, . . . , x“l()^ = 

Ouj-i}- That is, T is the set of possibles authentication keys of the sender T in 
accordance with the keys of Rl. We define a mapping (j) : T — GF(ej)^^^ by 

<(.(17) = [/(!, x^,...,x“-i)^, ^VgT. 

It is straightforward to verify that </. is one-to-one from T onto GF{qY^^. This 
also implies that R[^s key 17(1, x^,, . . . , x““^)^ = 4>{U) is independent of the 
keys of Rl. 

In the impersonation attack, Rl, generates a codeword (s,t),s G S and t G T = 
GF{q)'^, and hope that it will be accepted by R^ as authentic. It follows 



Pi[w,L] = max(s^t) 



gSxT 



\{u-,ueJ^ and sC/(i,x„ 



l-^l 






L^II 



In the substitution attack, Rl, after seeing a broadcast authenticated codeword 
(s,t), generates a new codeword (s',t'),s' Y 3,nd hope that (s',t') will be 
accepted by R,^, as authentic. It follows that 



Ps[w,L] 



= maxs^g/ 






Xlui-'-'.X., 



1)T}| 



^ Instead, the sender may choose a w xn matrix M = (Mi,...,M„) over GF{q) 
such that any w columns of M are linearly independent and the secret key of Ri is 
(-Y)Mi 
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Similarly, we have P/[*, L] = Ps[i, L] = 1/q for any w subset {i}UL of {1, , n} 
with i ^ L. Thus we have proved that Pj = Ps = 1/q. The proof of the cardina- 
lity parameters are obvious. 



Corollary 17. Let q>n be a prime power. There exists a (w,n) multireceiver 
A-code with the following parameters 

|5| = g+l, \M\ = q^\S\, \E\ = q^^, and m = q^, 

and the probability of success in each attack is Pi = ^ and Ps = ^. 

The corollary follows from the theorem when 1 = 2. the resulting MRA-code 
meets the bounds of Theorem ng and hence is optimal. 

It is interesting to note that for w = n = 1, the above construction results in a 
conventional (one-sender to one-receiver) A-code with the following parameters 

|5| = ^^, \M\ = q\S\, \E\ = \E,\ = q^, 

and the probability of success in impersonation and substitution is given by is 
Pi — \ and Ps = ^, respectively. Conventional A-code with these parameters 
has been constructed from finite geometries [Q. In particular, for £ = 2, The 
A-code has the same parameters as the A-code due to Gilbert, MacWilliams 
and Sloane 0. 

We note that Construction II is more suitable for MRA-codes with large source 
space. In the DFY construction and Construction I, the order of the field GE{q) 
determines the lower bound on the success probabilities in impersonation and 
substitution, and at the same time bounds the size of the source that can be used 
in the system (|S'| < q). This can result in inefficient constructions for larger 
sources. For example a source of size results in probability of deception 
lower bounded by which is unnecessarily low. The price paid for this low 

probability is bigger key sizes which for practical applications is not acceptable. 
This restriction is removed in Construction II, and by choosing appropriate £ 
the size of source can be increased to the required level. 



4 Conclusions 

MRA-codes are an important cryptographic primitive in secure group commu- 
nication. In this paper, we gave a formal definition of MRA-codes and derived 
the first information theoretic bounds on their performance. The bounds result 
in combinatorial lower bounds which are generalisations of the previously known 
combinatorial bounds. We established a link between E-codes and MRA-codes 
by giving two constructions that can be used to derive MRA-codes from E-codes. 
The constructions are used to give new optimal MRA-codes. 
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APPENDIX I 



Proof of Lemma B Consider the A-code Ci = {S, Mi, Ei), we define an 
authenticate function x(mi,ei) on Mi x Si as 

, , f 1 if mi is authentic for the key 

= otherwise. 

We have P{ni{m) is valid in Ci) = '^e-eE- x{^i{i^):C)P{ei)- We define an 
impersonation characteristic function \i on M x Ei x hy 

{ 1 if m is a valid for e C if in C 

such that Tj(e) = and TL{e) = Cl 
0 otherwise 

From the definition of the impersonation attack we can express Pi[i, I] as 

Pi[i, L] = maxmgM P{Ei{m) is valid in Ci\cL S El) 

= max„gM Y^eidEi Xiim, Ci, ei)P(ei|eL)). 

It follows that for any given cl in accordance with TL{e) = bl and = Cj, we 
know x(7Ti(m),ei) = X/(m, 6^,6^). Thus we have 

Pi[i, L] = maxmGM P(mis accepted by i?i|ei) 

= maXrn^M YeiGEi X/(™: 6^, ei)P(ei|eL) 

= max^gM Yei&Ei Xi^^iim), e^)P{ei\eL) 

= max^gM Ye GE xMm), e,)P{ei) 

= m 

Proof of Theorem 113 (i) For each {w — l)-subset L of {1, . . . ,n} and any 
i € {1, . . . ,n\ where i ^ L, hy Theorem [7| and Corollary we have 

(V >Pl> Pl[l,L]Ps[i,L] > 2 -C(^Pd^C+ff(Bdi?r.M)) ^ 

> 2~H(Ei) > 2-'°gl^d = 

m' 

It follows that |ifi| > . 

(ii) Assume that Lj = {1, . . . , i — 1, i + 1, . . . , w}, i = 1,. . . ,w. We have, 

(-)"“ > l[Pi[t,L,]Ps[i,L,] > 

^ i=l 

> 2~Y7=i^^^'^^o-,Ei-i) ^ 2“-f^(-®i ’■■■,£;») 

> 2-h{e) > 2-i°8I^I = — 

\E\- 



Therefore, \E\>q^'^. 
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(iii) Since r : E — > Ei x ■ ■ ■ x En induces a mapping from E to Ei x ■ ■ ■ x E^,, 
we have /(M; E) > I{M; Ei, , EyJ). It follows that 

W W 

i=l i=l 

where Qi = — 1}. Since for each 1 < i < w, we have Pi[i,Qi] < 

Pi[i,Li] < ^, it follows that, 

2-i(m-e) _ — 2-h{m)2H{m\e) ^ 

Since S is assumed to be uniformly distributed, we know that P[{M\E) = 
iJ(S') = log \S\. Hence \M\ = > 2^^^^ > g™|S'|, which proves (iii). 

The bounds are tight as in the next sections we will give constructions that meet 
them with equality. 



APPENDIX II 



In the following we give we comparison between bounds obtained in Theorem Eni 
and the bounds derived by Kurosawa and Obana in fTH]. Let ^ 

1. In ^D| the first part of Theorem 9 proves that P/ > 1/ We show that our 
Theorem uni (iii) implies that Pd = max{P/,Ps} >1/ \/£. This is because 
assuming Pd = max{ P/,P 5 } = 1/q and using Theorem II 01 (iii). we have 

\M\ > g-|5| ^ Pd = 1/g > = V 

This is similar to KO result but uses different assumption: KO result only 
applies to MRA-codes that are perfect for impersonation while our result is 
for general MRA-codes. 

2. Theorem 10 and 11 in mg in fact prove the following result (see also the 
introduction in mg). 

Theorem 18. (KO m) For {w,n) MRA-code without secrecy, if Pj = 
Ps = , then \E\ > and \Ei\ > ( \/£)^ for all 1 < i < n. 

This result can be also obtained from Theorem cni Indeed, since Pi = Ps = 
we have Pd = where g = \/£ By our Theorem ^(i) and (ii) 

it follows that |Pj > = ( ^)^. and |P| > = ( V^)^’" = proving 

the desired result. 

This result applies to all (w,n) MRA-codes and does not require the code 
to be perfect for impersonation, or the assumption that the code is without 
secrecy. 

3. The second parts of Theorem 9, 10 and 11 in mg do not have any counterpart 
in this paper. 
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Abstract. Anonymous off-line electronic cash (e-cash) systems provide transactions 
that retain the anonymity of the payer, similar to physical cash exchanges, without 
requiring the issuing bank to be on-line at payment. Fair off-line e-cash extend this 
capability to allow a qualified third party (a “trustee”) to revoke this anonymity un- 
der a warrant or other specified “suspicious” activity. Extensions for achieving fair 
off-line e-cash based on off-line e-cash require modularity to be applicable in general 
settings. Simplicity (for ease of understanding and implementation) and efficiency 
(for cost effectiveness) are of high importance, otherwise these generic extensions 
will be hard and costly to apply. Of course, security must also be guaranteed and un- 
derstood, yet, to date, there have been no efficient systems that offer provable security. 

A system which is (1) provably secure based on well understood assumptions, (2) 
efficient and (3) conceptually easy, is typically “elegant.” In this work we make a 
step towards elegant fair off-line e-cash system by proposing a system which is pro- 
vably anonymous (i.e., secure for legitimate users) while its design is simple and its 
efficiency is similar to the most efficient systems to date. Security for the bank and 
shops is unchanged from the security of non-traceable e-cash. We also present ways 
to adapt the functionality of “fairness” into existing e-cash systems in a modular way, 
thus easing advancement and maintaining version compatibility; these extensions are 
also provably anonymous. 



Keywords: Electronic cash, anonymity revocation, decision Diffie-Hellman. 

1 Introduction 

Simplicity is the crux of system design; when it comes to secure systems it is even more 
important for two reasons: first, it limits the possibility of errors during design and imple- 
mentation and eases the proof of security; second, it potentially allows the algorithms to 
run on reduced computational resources. 

In this work we simplify the method of achieving fair off-line e-cash based on any (single- 
term) off-line e-cash system (we demonstrate functionality under [Hratrthj i. We do so with- 
out affecting the security of the basic system, while we prove the security (i.e., anonymity 
of legitimate users) of the “fairness” extension using a better understood assumption, that 
of the decision Diffie-Hellman. Our goal is to move a step closer to “elegant” fair e-cash, 
i.e., minimize number of added requirements, security assumptions and overhead while ex- 
tending the e-cash systems into fair ones. We utilize the recent result yrYbSfN KflTj showing 
equivalence of the semantic security (namely, security in the sense of indistinguishability) 
of ElGamal encryption and the decision Diffie-Hellman assumption. 

The model: Fair off-line electronic cash (FOLC), independently introduced by IhT' YDtil and 
|( extends anonymous off-line electronic cash and involves a bank [E), a collection of 

users (a single user is called lA), a collection of receivers/shops (a single receiver is denoted 
by TZ), and a collection of Trustees (judges/escrow agents) which act like one partj0 (and 

* CertCo, NY, NY. e-mail: frankelyScertco.com 

** GTE Laboratories, Inc., Waltham, MA. e-mail: ytsiounisSgte.com 

*** CertCo, NY, NY. e-mail: motiScertco.com, motiScs . Columbia, edu 

^ It is outside the scope of this paper to show how the power of the Trustees can be equally 
distributed. T should be envisioned as being a single trusted entity. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 257-^33 1998. 

(c) Springer- Verlag Berlin Heidelberg 1998 
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are denoted as T). FOLC includes five basic protocols, three of which are the same as in 
off-line electronic cash: a withdrawal protocol with which U withdraws electronic coins from 
B while his account is debited, a payment protocol with which U pays the coin to TZ, and a 
deposit protocol with which TZ. deposits the coin to B and has his account credited. 

The two additional protocols are: owner tracing in which B gives to T the view of a 
deposit protocol and T returns a string that contains the identifying information of the 
coin’s owner (which B can use to identify the owner via its account databases); and coin 
tracing in which T, given the view of a withdrawal protocol from B, returns some information 
that originated from this withdrawal. B can use the returned value to find the coin(s) by 
accessing its views of the deposit protocols. Hence, owner tracing allows tracing of suspicious 
payments, while coin tracing allows the authorities to find the destination of suspicious 
withdrawals. We do not consider the strong bank robbery attacks IT7551 . 

Previous work: pn'viku introduced the notion of “indirect discourse proofs” and used it 
to implement FOLC; however, payments had to be interactive, while security required novel 
assumptions. Here we implement non-interactive indirect discourse proofs, while our com- 
plete solution is more secure and as efficient as owner tracing alone on that system, 
also proved that anonymity in FOLC cannot be unconditional. K IMSfifil introduced efficient 
owner and coin tracing protocols; coin tracing in particular was much faster than | IH"l’Vqti^ . 
However, security was not analyzed, while owner tracing was performed against the data- 
base of withdrawn coins, i.e., T returns to H a value appearing in a withdrawal transcript 
instead of the user’s identity; this reduces the computational requirements at withdrawal 
and payment (i.e., “enforcement” of owner tracing capability), but requires more time for 
owner tracing. Here we perform owner tracing against the account database (i.e., we escrow 
the “users’ identities”) while retaining the efficiency of irVIMfifil . lllFTVfi7l simplified the 
protocols of FT796I using faster coin tracing techniques, on par with |CMSfifip : security 
however still required novel assumptions while payments were again interactive, 
recently presented efficient protocols (for account-based owner tracing) with non-interactive 
payments, but their anonymity depends on more complex assumptions (these are not speci- 
fied in a strict sense, but our evaluation shows that the main assumption is a variant of the 
decision Diffie-Hellman assumption, similar to the “matching Diffie-Hellman” introduced in 
prwj L Our efficiency is on par with this system but we can concretely prove anonymity 
under the decision Diffie-Hellman assumption. 

Security assumptions: Security of the basic off-line e-cash scheme is based on the blind 
signature protocol that we use as an underlying block; in the case we demonstrate here, this 
is the same as in fBra93h| but other protocols can be used. All such protocols are based 
on the random oracle model and although the unforgeability of the resulting signatures is 
provable their restrictive properties are still unproven. We prove the anonymity of 

our system based on the decision Diffie-Hellman assumption. 

Structure of the paper: In section 0we present the ElGamal encryption scheme and the 
decision Diffie-Hellman assumption, as well as some known impossibility results for FOLC. 
In sectionOwe present the building blocks for our protocols, namely a blind signature scheme 
with some restrictive properties, proofs of equality of logarithms and non-interactive indirect 
discourse proofs. In section0we show how FOLC can be added in a modular way in existing 
systems, while in section ^ we show how to achieve FOLC efficiently and securely if we have 
more freedom in the system design phase. We discuss the security in section 0 and we 
conclude with open problems in section Q 
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2 Preliminaries 

In |FTY9fi| it was shown what are the cryptographic assumptions needed for FOLC as 
summarized in the following Theorems. 

Theorem 1 (1) Unconditional unlinkability is impossible in FOLC even if only owner tra- 
cing or coin tracing is supported. (2) Further, any implementation of FOLC based on black 
box reduction from an arbitrary one-way permutation will separate P and NP (thus, it seems 
implausible, since it will yield a breakthrough in complexity theoretic proof techniques). 



Theorem 2 Given off-line e-cash and public-key encryption, there exists a FOLC system 
in which anonymity is semantically secure (in the sense of secure encryption \CMF^). 

A semantically secure encryption which has homomorphic properties is the ElGamal 
encryption scheme WKm -. 

Definition 1. (ElGamal public-key encryption scheme) The ElGamal public-key en- 
cryption scheme is defined by a triplet {G,E,D) of probabilistie polynomial-time algorithms, 
with the following properties: 

- The system setup algorithm, S, on input 1", where n is the security parameter, outputs 
the system parameters (p,q,g), where (p,q,g) is an instanee of the DLP collection, i.e., 
p is a uniformly chosen prime of length \p\ = n 5 for a specified constant 6, and 
g is a uniformly chosen generator of the subgroup Gq of prime order q of Z*, where 
q = {p — l)/^ is prime and ■j is a specified integer. 

- The key generating algorithm, G, on input {p, q, g), outputs a public key, e = (p, q, g, y), 
and a private key, d = {p,q,g,x), where 

- X is a uniformly chosen element of Zq, and 

- y = g^ mod p . 

- The encryption algorithm, E, on input (p,q,g,y) and a message m £ Gq, uniformly 
selects an element k in Zq and outputs 

E{{p,q,g,y),m) = {g^ (modp),m/ (mod p)) . 

- The decryption algorithm, D, on input (p,q,g,x) and a ciphertext {yi,y 2 ), outputs 

D{{p,g,x),{yi,y 2 )) = y 2 {yi'"y^ (mod p) . 

For simplicity we write E(m) = (g^ , my^) for public key y. 

Definition 2. (Decision Diffie-Hellman problem) For security parameter n, p a prime 
with Ip — 1| = S -i- n for a specified constant 5, for g a Z* a generator of prime order 
q = {p—l)/"f for a specified integer 7 and for a, b £p Zq random, given [p“, y\ output 0 if 
y = (mod p) and 1 otherwise, with probability better than 1/2 -|- 1/n'^ for any constant 
c for large enough n. 

The decision Diffie-Hellman assumption states that it is infeasible to solve the decision 
Diffie-Hellman problem. In f I ‘ Y tlXj a proof of the following is presented: 

Theorem 3 The ElGamal encryption scheme is semantically secure, if and only if there 
does not exist a p.p.t. TM that solves the decision Diffie-Hellman problem. 

We remark here that theorem 01 is true even for a modified “inverted” ElGamal 
encryption, i.e., when E{m) = (y^,mg^) with y the public key. 
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3 Building Blocks 

All off-line electronic cash schemes to date utilize a blinding protocol that allows the bank 
to verify that users embed their identity in the coin. In turn, all fair off-line e-cash schemes, 
employ a protocol for proving relations between committed values. We devote one subsection 
to each concept. In addition we show an implementation of “indirect discourse proofs” 
in'ViitilDh'TYDTi based on proofs of equality of logarithms. 



3.1 The Blinding Protocol 



There are several blind signature protocols in the literature which allow the signer to verify 
that some values are correctly embedded by the requester. The first was proposed by fTTFTTOni 
but here we will use protocols that avoid the costly (in terms of both speed and storage ) 
“cut-and-choose” technique, such as the withdrawal protocols in |(iP9,3alROC+{12l(lP9.Sh^ . 
the “restrictive blinding” in |Bra93y , the protocol “P” in or the “blind signature” 

protocol in mm- Here we will demonstrate one particular such protocol. Brands’ “re- 
strictive blind signature,” but it should be noted that the ideas presented are applicable to 
any of the other sub-protocols used as building blocks. 

We now describe the blinding protocol in IBra93bl. between a signer S and a verifier V. 
Setup: 

Let p and q be primes such that \p — l\ = S + k for a specified constant S, and p = 'fq + I, 
for a specified integer 7. Define a unique subgroup Gq of prime order q of the multiplicative 
group Z* and generators g, gi,Q 2 of Gq. Let ... be hash functions from a family 

of collision intractable hash functions. 



Let Xg dp Zq be the secret key of the signer. The signer publishes its public keys 

= .9f^ 



, ^2 






h = g ^^ , hi 

Let Ui G Gq be the verifier’s private key and J = 91“^ his public identification information 
(knowledge of private keys should be verified as pointed out in li'l \l I'mJ , using e.g., a 
Schnorr proof of knowledge fSchfilf h 

The protocol creates a blind signature of I. V will end up with a Schnorr-type 
signature on (192)*, where s is a random number (chosen by V and kept secret). The exact 
form of the signature is sig{A, B) = [z, a, b, r) satisfying: 



gr ^f^n(A,B,z,a,b)a ^nd A” = 



( 1 ) 



The blinding protocol (over an authenticated channel between V and <S) appears in figure 

in 

This protocol produces a signed number A of the form Pg 2 “ , i.e., A is an unconditionally- 
hiding commitment of the verifier’s identity I. There are no complete security proofs for such 
protocols, but they are used in every efficient e-cash scheme and have received continuous 
scrutiny in recent years. There do however exist security arguments under the random oracle 
model for the existential unforgeability of such signature schemes — but not for their 

“restrictive” properties (i.e., we cannot yet prove that A is a correct commitment on I). 



3.2 Proving Equality of Logarithms 

A basic tool for both owner and coin tracing is an efficient blind proof of equality of lo- 
garithms. Such proofs are used for FOLC either in isolation, or as a block in constructing 
non-interactive indirect discourse proofs, which can then provide some of the functionality 
needed for FOLC. 
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V 



S blindly signs A, such that A embeds the identity / of V 



5 



S Gil Zq 

A = (132)’ 

Z' = h^^h2l= 

IS 

z — z 

Xl,X2,U, V €r Zq 

T-> X\ Xo 

^ = 5 i 32 
a — [a)^g‘^ 
b - 

c — 'H(A^ B, z, a, b) 
c' — c/u 

r — r'u V mod q 



a' ,b' 



W €h Zq 



a' = g'’,b' = (Ig2) 



c' 




Fig. 1. Blind signature protocol, embedding the verifier’s identity. At the end of the protocol V 
? ? 

verifies: g’’ = h’^a, A’’ = z^b. 



Setup: A probabilistic polynomial-time (p.p.t.) prover V and a p.p.t. verifier V. 

Common input is A, B, a, b, Gi, G2, G3, with a, b, Gi, G2, G3 generators of Gq, a subgroup of 
prime order q of the multiplicative group Z* for some large prime p. The prover is assumed 
to not know the relative discrete logarithms of a, b, Gi, G2, G3. 

Secret input to V is x,v,w, such that A = o^Gi” (mod p),i 3 = b^G2™ (mod p) (for 
simplicity we henceforth use the notation A = a^Gi’'). 

Notation: EqLog[(A, a), Gi, (B, b), G2] denotes that A = a^Gi’ and B = 6^G2™ for some 
X £ Gq, and Gi,G2 generators of Gq. The reader may wish to think of that as log^ A = 
logjjB for intuition (computations are always modP). 

The proof appears in Figure | 2 | 



EqLog[(A, a),Gi, (B, b), G2] 

Input: A, B 

V proves that A = a”Gi‘ ,B = 6®G2*“, i.e., log ^ A = log^ P: 

P V 



y, Sl, S2, S3 €r Zq 

A' = a^Gi’PB' = b^G2’^ 



r = c ■ X + y 

ri = C ■ V + Sl,T2 = C ■ W + S2 



A',B' 




c €h Zq or 

c = 'H{A, A' , a, Gi,B, B' , b, G2, Date/Time, Info) 



Verify: 

o’- . GPi = A° ■ A' and 
B ■ G 2 "^ = B’ ■ B' 



Fig. 2. Proof of equality of logarithms. 



The proof is essentially a set of parallel Schnorr knowledge proofs and can be used 
to prove equality of more than two logarithms (see “extensions” below). As is the case 
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in this minimal-knowledge proof can be made non-interactive and transferable un- 

der the random oracle model, with the challenge c being computed as a hash function of 
{j 4 , j 4', a, Gi, S, S', 6, G21 Date/Time, Info} and the hash function behaving like a random 
oracle. 

We now discuss the correctness and zero-knowledge of the proof. 

Correctness: It suffices to show that if a prover can answer to two challenges then s/he 
knows two representations as required (i.e., A = a^Gi” and B = b^G2™); then, if the 
prover cannot break the discrete log problem, s/he cannot know any other representations 
of A,B w.r.t. (a,Gi), (b, G2) respectively fBra93b|. since the relative logarithms of a w.r.t. 
Gi and b w.r.t. G2 are secret. Therefore there are only two possibilities: either the prover 
can answer to exactly one challenge (which depends on the construction of (A,B), i.e., it 
is “pre-selected” via the choice of {A, B)) or s/he knows the correct representations. But 
since the challenges are produced at random, the prover has only negligible probability of 
answering the “pre-selected” challenge without knowing the correct representations. 

Now it is easy to see that given two answers to different challenges, r = c-x+y, r' = c' -x+y 
and [ri = c- v + s\,T2 = c - w + S2],[t'i = c' ■ v + s\,r'2 = d ■ -|- S2I one can solve the system 

of equations (where r, r', ri, r2, n}, and c,d are known values) to compute x,y,v,w, S\ 
and S2; thus if the prover can answer to two challenges, it knows (can compute) the correct 
representations. 

Zero-knowledge: The proofs can be simulated w.r.t. an honest verifier. In the interactive 
setting this is done by the verifier selecting a random challenge c and random ’’responses” 
G J'li ^2, and computing A' = A"‘’a”Gi”^ , B' = B^“b’'G2”’“. Here we assume that the verifier 
is honest, i.e., that c is indeed randomly chosen (and can be learned in a simulation). 

In the non-interactive setting the simulations are performed under the random oracle 
model, as in lESHSa. Briefly, here the challenge is constructed using a hash function: 
c = H(2l, j 4', a, Gi, B, S', b, G2, Date/Time, Info) where the hash function H is modeled 
as (i.e., assumed to act like) a ’’random oracle,” or ’’perfect hash function”. The simula- 
tor proceeds as previously; the random oracle assumption is used in the construction of c. 
I.e., we want to guarantee that after choosing c, r, ri, T2 and computing A' , B', the equation 
c = ^(21, T', a, Gi, B, S', b, G2, Date/Time, Info) still holds. For this we let the simulator 
’’change” the output of the random oracle H, such that on input this particular vector it 
outputs c. Then the resulting ’’modified” random oracle cannot be distinguished from the 
original, since c was originally chosen as a random value. As the random value c is here sub- 
stituted by the output of the random oracle, the “honest verifier” assumption is guaranteed; 
i.e., in the non-interactive version, and under the random oracle assumption, the equality 
of logarithm proofs are zero-knowledge. Full proof to appear in extended version. 
Extensions: The same proof can be used for more than two values; thus we can define 
EqLog[(A, a), Gi, (B, b), G2, (C, c), G3] to prove equality between the respective logarithms 
of A, B and C. The protocol and security proofs are similar; we omit description for conci- 
seness. (Although it is simple to observe that two consecutive proofs of equality of logarithms 
for (A, B) and (B, C) respectively achieve the same result — but with slightly higher com- 
putation.) This extended version is used in sectionEl 



3.3 Indirect Discourse Proofs 

We now show how proofs of equality of logarithms can be used to create indirect discourse 
proofs. These will be used for the protocols of section 0 but not for section[^ if interested 
only in simplicity and not backwards compatibility we encourage the reader to move directly 
to section Q 

In this particular example of indirect discourse proofs, tailored to our purposes, we will 
construct a proof which shows a specific construction for three numbers A, B, G. This is a 
more general construction than we actually need for section ^ 
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The proof appears in figure Q The interactive form is shown, but the proof can be made 
non-interactive by computing the challenge using a random oracle T-L'. c = 'H{A,B,C,A' , 
-B', a, 6, Gi, G2, G3, Date/Time, Info), where “Info” is some transaction-related information 
(such as the identity of V or the transaction purpose/descriptioir/amount). 

Notation: we use IndPrf[(j4, a), Gi, (B, GIG3), G2] to denote that A = , B = 

G“^G2^Ga* = 6=“=G2’". 



IndPrf[(A, a), Gi, (B, fe, CIG 3 ), G 2 ] 

Input: A, B = h‘G2™, C = 

V will prove to V that A = a^Gi”, B = C’^G^^Gs* = fe“G 2 ”: 

■p V 



y, SI, S2, S3 €h Zq 

A' = a“Gi“i,B' = C^G2“^G3’^ 

A C Gii Zq 



r = c ■ X + y 

ri = c ■ V + Si,T2 = c ■ w + S2,T3 = S3 — r ■ u ' ^ Verify: 

a” . Gi”! = • A' and 

C” ■ G2”^ ■ G3”= ^B'^- B' 



Fig. 3. Indirect discourse proof. 



We omit the proof of security due to lack of space; its construction is similar to the 
correctness and zero-knowledge proof of the protocol for proving equality of logarithms in 
section tt.2l above. 



4 Retaining Existing Infrastrnctnre 

Changing systems that have already been implemented sometimes requires a disproportio- 
nate amount of effort, compared to the changes required. Thus it is important to devise 
techniques that enhance functionality without affecting existing systems. In this section we 
show how modular additions to off-line electronic cash systems can be used to construct 
FOLC in a seamless manner. We elect to show our additions oir the Brands’ protocol, but 
similar solutions are possible in other blinding protocols. As mentioned earlier, our focus is 
primarily security (i.e., basing anonymity on the decision Diffie-Hellman assumption) and 
efficiency. 



4.1 Coin Tracing 



Coin tracing can be performed efficiently using the techniques of [CMSQBII )FTV 97 | , modified 
to allow for provable security. To add it in a modular way we need a preliminary stage, iir 
which the Trustee entity T is created, and an addition to the withdrawal protocol. The 
following steps are performed: during the withdrawal protocol an additional value I' = 
193'^ 9i is created (where 94 is an additional generator of Gq) and its relationship to an 
ElGamal encryption Bi = {Ig29i) E2 = is proven using indirect discourse proofs; 
here /i = 91^''' is a public key published by the Trustee. The coin then embeds I' instead 
of I and becomes A = I" 92° 93® 94*'“ , where s' is the user’s blinding factor. 

At payment the verifier checks that the coin is of the form A = 91’” 92^94^93, thereby 
indirectly forcing the user to set s' = s. 
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Coin tracing is then performed by the trustee decrypting (Si, £'2) to obtain the paid 
coin A = A/gs = {19294)“- 

This method retains the anonymity of the user (based on the decision Diffie-Helhnan 
assumption) with minimal computational overhead, while it requires no changes to the 
existing blind signature protocol. However we do not describe it in detail as ( 1 ) it can be 
derived in a straightforward manner from and section |^ 3 I above, while ( 2 ) in 

sectional we show a more efficient method achieving both owner and coin tracing. 



4.2 Owner Tracing 



An off-line coin by its nature has its owner’s identity embedded in it. Thus for owner tracing 
all we need is an encryption of the user’s identity using a public key encryption system, in 
such a way that the encryption is linked to the coin. Hence, Trustees can open the ciphertext 
to obtain the identity. An indirect discourse proof during payment assures the receiver that 
the encrypted identity is the same as the one embedded in the coin. The additions to the 
basic protocol are limited to a preliminary stage, in which the Trustee entity T is created, 
and to a modular addition to the payment protocol. Here we show the payment protocol 
that corresponds to the blinding protocol of section ini 

T’s public information: Public key /2 = 92^ associated with private key Xj- Gij Gq. 

The new payment protocol: 



U 



n 



Di=Ig^-^^,D2 = 9^ 

Vi = EqLog[(Si,/2),9i, (£2,52), nil] 

V2 = IndPrf[(A, {g 2 , 94}), 5 i, (- 4 , 9i, Si I/2), 92] 
In V2, U uses B = from 

withdrawal, instead of random A' 



Di,D2,Vi,V2 



S2 7^1 
Verify Vi,y2 



This protocol proves to TZ that [Di,D2) is an ElGamal [h^K-iiShj encryption of J, based 
on /2, where I is the same identity as the one embedded in the coin A. In particular, first 
Vi proves that Di = gi^ 92^^^ , D2 = 92^ for some x,m. Then V2 proves that x ■ s = u ■ s 
(mod Q) where A = 91^“ 92" 94^" is the user’s coin; therefore, x = u (mod Q) and thus 
Di = as required. 

Efficiency: The protocol poses minimal additional communication and computation requi- 
rements (on the order of 7 exponentiations for U and 9 for TZ), while keeping T off-line in 
all cases. 



5 Simplified FOLC 

Although the protocols of the previous sections are efficient and secure, it turns out that if 
we can alter some design aspects of the basic e-cash system it is possible to perform coin and 
owner tracing in one step, thus effectively reducing in half the computational requirements, 
while remaining within the same security assumptions. 

The idea is to combine the identity of the user with a “coin identifier” (as in l( ;iVIS96l l to 
an unconditional commitment. Then, this commitment is signed using the blinding protocol. 
The commitment is constructed such that the resulting coin is itself part of an ElGamal 
encryption of the user’s identity (this idea has its root in IdS'rQSj l. Thus, one execution of 
the blinding protocol (which is the bulk of the computation at withdrawal) in effect performs 
two tasks at once: tracing the coin and encrypting the user’s identity. The blinding protocol 
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used is a modification of the one appearing in section l.'-j ll that operates on 3 instead of 
2 generators, but whose security is unchanged IKra, m- The fact that the commitment is 
unconditional allows us to prove anonymity under the decision Diffie-Hellman assumption. 

For coin tracing an ElGamal encryption of the “coin identifier” is constructed at withdra- 
wal, and its correct construction (with respect to the commitment) is verified using proofs of 
equality of logarithms. For owner tracing one additional value is constructed (at payment) 
to form an ElGamal encryption in conjuction with the coin; the correctness of this value 
requires proofs of equality of logarithms instead of indirect discourse proofs. We proceed 
with the details. 

Bank’s setup protocol: (performed once by 13 ) 

Primes p and q are chosen such that |p — 1 1 = 5 + k for a specified constant S, and p = qg + 1 , 
for a specified integer 7. Then a unique subgroup Gg of prime order q of the multiplicative 
group Z* and generators 3, ,9i, 92, <73, .94 of Gg are defined. Secret key Xts Zg is createdfl 
Hash functions . . ., from a family of collision intractable hash functions are also 

defined. B publishes p, 9, 9, 9i, .92, 9 s, 94> ■ ■ .) and its public keys h = 9^®, fii = 

9 i^®,fi 2 = . 92 ^«,fi 3 = 93 ^'’. 

Trustee’s setup protocol: ^performed once by T) 

Public keys /2 = 9^’', /s = 93 ^ associated with private key Xp Zg are published. 
User’s setup (account opening) protocol: (performed for each user lA) 

The bank B associates user U with I = 9“^ where Ui G Gg is generated by U and 9“* 92 yf 1 - 
U also proves (using the Schnorr identification scheme [SchPlj l to B that he knows how to 
represent I w.r.t. 91. 

Withdrawal: (over an authenticated channel between B and U) 

An intermediate value I' = 91“’® 93® 94* is created. The user constructs an ElGamal 
encryption E\ = 92“/3”*,F'2 = 93™ of 92® and proceeds to prove its correct construction 
w.r.t. I'. The constructions of I' ,E\,E2 are proven using proofs of equality of logarithms. 
The blinding protocol of section 10 then proceeds with /' replacing I. 

Note that during the payment protocol the user is expected to present a coin of a specific 
structure; this forces him to use the committed value s as the blinding factor. Thus the coin 
contains 92“ and can be traced by decrypting (Ei,E2). 

The withdrawal protocol results in a signature of the form appearing in equation |IJ (see 
section lO : 

U B 



m,s,t Gh Zg 

^' = 9 i“'“" 93 ^" 94 ‘ 

El = 92" , E2 = 93™ 

Vi = EqLog[(Ei, /a), 92, (E2, 93), nil] 

V2 = EqLog[(93,/'), (91,94), 

{El, 92), h, (I,E), (93,94)] 

I',Ei,E^Vi,V2 



a' ,b' ,b" 



Q' = 9 ”,fe' 



£^2^1 
Verify ^1,^2 
W Gfl Zg 

(J'92)”,6" = .94” 



We assume, for simplicity, that only one denomination is used. A different key for each denomi- 
nation is necessary. 
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A = (I'g294* 'y = 

Z = hi^^h 2 ‘h 3 [= 
Xi,X2,U,V eR Zg 

^Xi X 2 

— 9i 92 
a = (a')“a” 

b = [= 

c = %{A, B, z, a, b) 




r = r'u + V mod q 

? 7 

At the end of the protocol U verifies: = h’^a, A^ = z’^b. 



Payment: (performed between U and TZ over an anonymous channel) 

At payment time U supplies information to the receiver TZ (which is later forwarded to the 
bank) so that if a coin is double-spent the user U is identified. 

The user provides the signature on the coin A = gi^g2^ga and uses Ai = A/g^ for the 
verifications of the payment protocol. I.e., the user is forced to use s as the blinding factor, 
in order to “neutralize” the exponent of g^. 

The user also provides the value A2 = /2* and proves that this, together with the coin, 
forms a (modified) ElGamal encryption of gi^ which, from the withdrawal protocol, can 
only be 31“^ = I, i.e., the user’s identity. To prove the construction all that is needed is the 
proof of equality of logarithms V3 = EqLog[(Ai, 92), 5i, (A2, /2), nil]. 

The payment protocol {U and TZ agree on date/time, to be used as input to the non- 
interactive challenge) : 

U TZ 



Ai — 3 i“' 92“ [— A/ga] 

A2 = /a" 

V3 = EqLog[(Ai,g2),ai, (A2,/2),nil] 

U uses B instead of A' 
in the construction of V3 

Ai,A2,A,B (z,a,b,r) A I -i A A 

— ^ AiAl,Aig3 = A 

7 

sig{A, B) = {z, a, b, r) 
Verify V3 



Deposit: (performed between TZ and B over an authenticated channel) 

TZ sends a transcript of the payment protocol to B who verifies the (non-interactive) 
proofs. 

Owner tracing: (performed between B and T over an authenticated channel) 

The bank simply sends the deposited coin to the trustee T. T uses the private key to 
decrypt the ElGamal encryption (^1,^2) and sends the decrypted value (i.e., I = gi“‘) to 
B. The bank indexes this against its account database to find the coin’s owner. 

Coin tracing: (performed between B and T over an authenticated channel) 

The bank sends a withdrawal transcript to T. The trustee decrypts the ElGamal en- 
cryption {El, E2) to obtain the value 32*; the bank then searches its deposit databases for 
the coin A = Ig2"g3, where I is the user’s identity. 
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Efficiency: The protocols require around 8 and 11 exponentiations for the user and bank 
at withdrawal and 4 and 2 for the user and receiver at payment. 

6 Security 

The security of FOLC can be described in three parts: (1) security for the payees and bank 
(i.e., unreusability, unforgeability, and unexpandability of coins; see for a precise 

model), (2) security of the extensions (i.e., the ability of the trustees to trace), and (3) 
security (anonymity) for the legitimate users. Our protocols guarantee the following: 

- (1) above is unchanged from the underlying basic off-line e-cash protocol. This can be 
seen since the blinding protocol is either unmodified (section^ or (in section 0 the 
modifications do not impair its security IBra93al. See appendix E| for a sketch of the 
proof. 

- (2) above is based on the correctness property of the proof of equality of logarithms, 
i.e., it is guaranteed based on the existence of hash functions that behave like random 
oracles. The proof here is straightforward (verify that the user is constrained in the 
construction of the ElGamal encryptions, based on the proofs of equality of logarithms) 
but relatively lengthy. See appendix^ for more details. 

- Finally, (3) above is based on the semantic security of the (inverted) ElGamal encryption, 
i.e., on the decision Diffie-Flellman assumption. Intuitively, note that the disclosed values 
do not reveal any information; a sketch of an actual proof which shows that if anonymity 
is broken then the decision D-H problem does not hold, is given in appendix 0 



7 Discussion and Open Problems 

We have constructed a simple solution for fair off-line electronic cash, utilizing recent secu- 
rity proofs for homomorphic encryption schemes [irv!)8j . We believe that the biggest open 
problem is to prove security under even more strict assumptions while keeping the efficiency 
of our constructions. A first step to this direction may be a recently proposed encryption 
scheme with homomorphic properties, whose semantic security is equivalent to factoring 
mnn. Similarly, we would like to see blinding protocols whose restrictive properties can 
be proven secure. 
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A Security for the Bank and Receivers (Shops) 

We show a sketch of the proof for (1) and (2) of sectionEJ for shortness we limit the discussion 
to the protocol of section 0 

At payment, V3 proves that Ai = g2^gi^ and A2 = f2^ for some x,y; i.e., that (^1,^2) 
forms an ElGamal encryption of gi® based on the Trustee’s public key /2. Also notice that 
V3 is always carried out with the same randomness B = gi^^g2^'^, therefore if it is executed 
twice it will reveal x (which, as we will see, is the user’s private key). 

Then, at withdrawal, Vi proves that Ei = g2° , E2 = gs"* for some s,m, i.e., that 

(Ei,E2) forms an ElGamal encryption of g2“ ■ Also, V2 proves that g^ = {I'Y gi" g^ , Ei = 
g2”/3“,J = {I'Ygi^gi^ for some v,w,t,u,x, z. But from Vi we have that E\ = g2^/s”^, 
thus V = s,u = m and therefore gs = (J')”gi“’g4*, Ei = g2“/3™,f = {I'Y gs^ gi^ ■ By 
rearranging the equations involving I' we get I' = gs® gi™ gY and I' = P gs'' gp , 

where w' = etc. Also at user setup it has been proven that I = gi“^, 

hence we have that I' = (gi“')“ g^^ gp = gP^“ gs^ gp , and (from the first equation on 

/'), J' = gi“^® gs® gY , where t' is unknown to the bank, and s is the same as in Ei. 

Now, if we assume that the withdrawal protocol is a restrictive blind signature protocol 
(an assumption initially made and argued for in i.e., under the terminology of 

|TY^ it satisfies unforgeability and unexpandability, then the signed number A must be 
of the form A = (I'g2Ygi^, for some u,v, i.e., A = gi”^® '^“gs® ^“g2“g4* “g4”. From the 
payment above we have seen that A = Aig^ = g2^gpgs- Therefore, it must be that = 1 
(mod g) and t'u + u = 0 (mod g); in particular, u = s (mod g). Putting these values in 
A we get A = gP^g2°gi, and therefore Ai = gP^g2° , A2 = f2‘, as required for tracing. 

Thus we have shown that if unforgeability and unexpandability are satisfied for the 
starting scheme (in this case IBrafidal l then traceability and bank/shop security also hold 
for FOLG. 

B Anonymity 

For anonymity (i.e., untraceability as defined in we want to prove that given a pair 

of withdrawal protocols and the corresponding paid coins, a collaboration of bank and shops 
cannot decide which coin came from which withdrawal. Again we limit the discussion to the 
protocol of section 0 The data that is available for this linking is the followinj^ (we omit 
the values I'q, I[ since they are unconditionally blinded by the random to) ^i)- 

At withdrawal: ^V^,V^,E^ = g2‘”>f3^°,E^ = g3'"",c'°] and 

[V/ , Vi , El = g2=i , El = gs-i , c'^] . 

At payment: [A| = gi“h92''S A| = /2'’% V3 , «*, a®, V, r*, B®] and 
[a{ = gP‘g 2 ‘‘,Ai = f 2 ‘iVi,z\a\E,r\B^^, i,i e {0,1}, i 7^ i. 

The linking problem is to determine whether i is 0 or 1. 

Suppose now we have a machine M which given the above information can find i. Then 
we can use this machine to break the ElGamal encryption in the sense of indistinguishability, 
i.e., break the decision D-H assumption |TY^ . as follows (sketch): 

Let gi = g2^' , Pi = g2*‘ be two messages, and let (B^,!?^), (El, El) be the encryptions 
of go,gi respectively. Then we feed Ad with these encryptions, plus (A\, A\),(A\, A\), 
which we can construct for a random since we know Si, sj. We then simulate Vj , for 

j = (1, 2}, Z = (0, 1} and V3®, V3®; the simulations for V3 require random values to be chosen 
for B®, B®. Then the signatures of the coins are simulated, i.e., random values i?i, c®, Bj, c® are 
chosen and a® = g^\P = c®Ag + B% «® = (A®)^«, 6® = (A®)^’, = g^\r' = SXb + R\ z* = 
^ Here X'^ or Xi denotes value X at protocol i. 
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b® = (A’’) are calculated. Finally c'^ , c'^ are chosen at random (it is easy to verify 
that for any choice of c, c', R, setting u = c/ d ,v = R — wu satisfies both c' = c/u and the 
values of a,b, as calculated using R; thus the simulation is perfect). These values are then 
inserted into HiA', S®, z', o®, b®), H(7l®, B®, z®, a®, b®) and the values of the hash function at 
these points are changed so that the results are c® , c® respectively. 

The whole output of the simulator (consisting of the above values) is then fed to M, 
which returns the value of j, and thus breaks the semantic security of ElGamal encryption. 

Finally, the above problem of distinguishing between two ciphertexts can be embedded 
in a context of polynomially many withdrawals using standard methods. 
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Abstract. An exchange or payment protocol is considered fair if neither 
of the two parties exchanging items or payment at any time during the 
protocol has a significant advantage over the other entity. Fairness is 
an important property for electronic commerce. This paper identifies 
a design framework based on existing fair protocols which use offline 
trusted third parties, but with convertible signatures as the underlying 
mechanism. We show that in principle any convertible signature scheme 
can be used to design a fair payment protocol. A specific protocol is 
detailed based on RSA undeniable signatures which is more efficient than 
other similar fair payment schemes. Furthermore, in this protocol the 
final signature obtained is always an ordinary RSA signature. 



1 Introduction 

As more and more electronic transactions are being conducted on insecure net- 
works, it is becoming obvious that electronic transactions are governed by differ- 
ent forces from the ones which affect normal physical exchanges of currency and 
goods. The possibility that transactions can occur remotely is one of the greatest 
advantages of electronic transactions as well as one of its biggest challenges to 
protocol designers. 

In a typical physical exchange two entities, for example a customer and a 
shopkeeper, are present at the same location. During the exchange the customer 
hands the shopkeeper some notes and coins. In return the shopkeeper hands the 
desired goods to the customer. Unfortunately, in electronic commerce the secu- 
rity of this scenario is suspect because of the remoteness of the shopkeeper and 
the customer. It is possible that, once the customer’s coins have passed through 
cyberspace and have been received by the shopkeeper, the shopkeeper refuses 
to deliver the goods; or if the shopkeeper hands the goods to the customer first 
the customer may log off instead of paying the shopkeeper. These problems arise 
with electronic transactions because the customer and shopkeeper are separated 
by cyberspace. In a physical situation, if the customer attempts to take the goods 
without paying the shopkeeper has the option to detain him. 

* Sponsored by Commonwealth Bank and the Australian Research Council 
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This problem is an obvious one to electronic transaction protocol designers. 
In the course of development of electronic commerce protocols, many schemes 
have been developed to solve the problem of electronic exchange. These protocols 
are referred to in the literature as fair exchange protocols. The main objective 
of all fair exchange protocols is to ensure that at no point during the execution 
of the protocol can either of the entities participating in the exchange gain any 
(significant) advantage over the other if the protocol is suddenly halted. 

1.1 Previous Work 

Until recently there have been two main approaches for achieving fair exchange. 
The first approach is to ensure that the exchange occurs simultaneously. One 
way of providing simultaneous exchange is to have the participants exchange 
information bit by bit in an interleaving manner [15]. 

The second approach is to ensure that the exchange will be completed even 
though one of the entities participating in the exchange refuses to continue. Fair 
exchange protocols which employ this approach often use a trusted third party 
to store the details of the transaction [8, 18]. These details are released if one of 
the entities refuse to complete the protocol. 

The use of the trusted third party greatly reduces the efficiency of the proto- 
col. For a once off transaction such as, say, exchange of an important contract, 
high efficiency need not be a priority. But for regular electronic transactions, 
such as remote purchase of electronic goods, efficiency is a critical issue. So 
most of the recent fair exchange protocols attempt to reduce the need for the 
trusted third party in the online execution of the transaction while ensuring that 
a trusted third party is always available to resolve disputes. Protocols which do 
not require a trusted third party during the online execution are referred to as 
being offline. 

The basic method for fair exchange using an offline third party has been es- 
tablished in a few recent papers. This method seems first to have been presented 
by Mao [12] and was followed further by Asokan, Shoup and Waidner [1] and 
Bao, Deng and Mao [2]. The general idea in all these papers is for one party 
(sometimes both parties) to send a signature to the other in such a way that: 

— the recipient is convinced that the signature is correct but cannot transfer 
the proof of correctness to other parties. 

— the recipient is convinced that if necessary the offline third party will be able 
to make the signature available to any verifier. 

The recipient of such a signature should then be willing to proceed with the 
transaction with the knowledge that in case of dispute the third party can make 
the signature universally verifiable. But normally the third party is not involved, 
thereby allowing great efficiency savings over protocols with an online trusted 
third party. 

The way that the above properties have been achieved in previous work is 
that the signature is encrypted with the public key of the third party. A ver- 
ifiable encryption protocol is then executed between the sender and recipient 
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of the signed message in order to achieve the second property above. Although 
these are all ingenious protocols they do suffer from some potential drawbacks. 
One is that the verifiable encryption protocols currently available are compu- 
tationally expensive, perhaps too much so for practical use of these schemes in 
everyday transactions. Another drawback is that these protocols also require a 
large amount of storage. In order to reduce complexity of both computation and 
communications, non-interactive verifiable encryption has been proposed. How- 
ever, this raises the question of whether a non-interactive proof that a signature 
is encrypted is really any different from a signature itself, since it alone is suffi- 
cient to prove to any third party that the signer has committed to the message. 
We believe that there is little difference in functionality and that convertible 
signatures with non-interactive proofs of correctness should be avoided in our 
fair payment protocols. 



1.2 Our Approach 

In this paper new fair exchange protocols using an offline trusted third party 
are proposed. The principal new idea is to make use of a well known crypto- 
graphic primitive known as a convertible signature. All the previously published 
offline fair exchange schemes use the same basic idea of allowing one party, say 
the merchant, to be able to verify that if necessary he can employ the third 
party to convert a restricted commitment, verifiable by the merchant, into a full 
signature providing non-repudiation. In other words, a signature verifiable only 
by the merchant is converted into a universal signature. Convertible undeniable 
signatures provide exactly this property. 

Undeniable signatures were introduced by Chaum and van Antwerpen [5]. 
These are digital signatures which can only be verified with the assistance of 
the signer. The signer is able to confirm or deny the ownership of the signature. 
No entity other than the signer is able to verify ownership of the signature. The 
signer is unable to prove that a valid signature is invalid or similarly that an 
invalid signature is valid. Convertible undeniable signatures developed by Boyar, 
Chaum and Damgard [3] build on the properties of undeniable signatures. Like 
undeniable signatures, convertible undeniable signatures can only be verified 
with the assistance of the signer but in addition the signer is able to selectively 
convert a single undeniable signature into a normal digital signature or collec- 
tively convert all the signer’s signatures into normal digital signatures which can 
be verified by anyone. 

An extension of the idea of convertible signatures are designated converter 
signatures, defined by Chaum [4] in which conversion may be achieved by a desig- 
nated third party separate from the original signer. (Actually Chaum called them 
designated confirmer signatures, but we have changed the name to emphasize the 
conversion property which we are interested in. In fact in all known examples 
either confirmation or conversion may be achieved according to whether an in- 
teractive or non-interactive protocol is used.) These appear even more suited to 
application in fair exchange than ordinary convertible signatures. 
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Surprisingly, the use of convertible signatures does not appear to have been 
proposed before in the context of fair exchange. Despite this each of the offline 
fair exchange protocols proposed in previous papers [1, 2, 12] can be seen as a new 
designated converter signature algorithm! This is because verifiable encryption 
of a signature with a designated third party’s public key clearly allows that 
third party to convert the signature into a universally verifiable one simply by 
decryption. In this paper we will use existing convertible signature schemes and 
adapt them to work for fair exchange protocols. 

We explore the use of convertible undeniable signatures in fair exchange 
protocols with an offline third party. We mainly concentrate on the convertible 
property of these signatures as the undeniable function is not necessary for fair 
exchange. We are able to propose a number of new protocols which are at least 
as efficient as any other known protocols of this type. We regard the following 
as the three main contributions of the current paper. 

— A general framework for fair payment in which any convertible signature 
scheme may be used. 

— A new fair payment protocol which is more efficient than similar fair ex- 
change schemes. 

— A new designated converter signature for which converted signatures are 
ordinary RSA signatures. 

Asokan, Shoup and Waidner [1] and Mao [12] exchange signatures fairly be- 
tween two parties. In this paper we focus on more specific goals in that we 
wish to conduct a payment transaction between a customer and a merchant. 
Bao, Deng and Mao [2] present two fair exchange protocols which may be used 
for payment. Their first protocol is inefficient since it relies on use of verifi- 
able encryption protocols which require a high number of rounds for security. 
Their second protocol uses a more efficient verifiable encryption protocol, but 
unfortunately this protocol is faulty and allows anyone to verify the customer’s 
signature. 

In section 2, we present a general design model for fair payment. Section 
3 discusses use of existing convertible signature schemes within the model. A 
new designated converter signature is presented in detail inside the framework 
in section 4. An attack on the second Bao, Deng and Mao protocol is presented 
in the appendix. 



2 A Framework for Offline Fair Payment Protocol Design 

2.1 Definitions and Notation 

The following symbols will be used to represent common parameters for the en- 
tire paper. Other parameters which are only used by specific protocols will be 
defined in the protocol description. 
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C The customer entity. 

M The merchant entity. 

B The bank, acquirer or notary entity. 

TTP The trusted third party. It is possible that the bank could 

play the role of the trusted third party also but for the 
purpose of this paper we assume trusted third party and 
the bank are separate entities. 

m Purchase Information. This is information regarding the 
goods’ product ID, the price to be paid for the goods as 
well as the merchant account number. It is assumed that 
this information will uniquely identify the transaction and 
the merchant entity. 

Certx The certificate which verifies the public key of entity X 
with the appropriate certification authority. It also con- 
tains the customer’s banking details which can only be 
decrypted by the bank entity and the customer’s public 
key. 

Goods The goods which are described in m. These are assumed 
to be software goods which can be transmitted securely 
encrypted across open networks. 



The following notation is used to denote cryptographic operations. X and 
Y always represent communicating parties and may be any of the four entities 
defined above. 



Exy (Message) Message, encrypted with the key XY using symmetric key 
cryptography. It is assumed that the key is known only 
by X and Y and that only these entities may know the 
contents of Message. 

Ex (Message) Message, encrypted with a public key belonging to X us- 
ing public key cryptography. It is assumed that the public 
key belonging to X is known to all entities but only the 
entity X knows the corresponding private key to decrypt 
the contents of Message. 

Sigx (Message) Message, digitally signed by X using public key cryptog- 
raphy. This implies that X’s public key is used to ensure 
that the message was transmitted hy X. A. message signed 
in this fashion can be verified by any entity. 

Sx(Message) Message, digitally signed by X using a convertible unde- 
niable signature. 

H (Message) A cryptographic function which results in a digest and 
checksum of Message, using an algorithm such as the Se- 
cure Hash Algorithm (SHA) one-way hash function. 
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2.2 The Design Framework 

The following design framework is the model which has been used to develop the 
offline fair payment protocols described in this paper. This model can be used 
with any convertible signature scheme to construct new offline fair payment 
protocols as long as there is a way to ensure that only the third party is able to 
convert signatures. 

The basic protocol ensures fairness by having TTP force the completion of 
a transaction if a dispute occurs. If no dispute occurs only C and M need to 
participate in the transaction. 



Registration A registration protocol between the customer and third party is 
required for our efficient protocol in section 4. It will be correctly argued that 
the need for registration is an overhead which somewhat reduces the efficiency 
of the new protocol. However, we would like to point out that in practice trusted 
third parties will not be offering their services free of charge, and registration 
is probably a necessary phase. It need only be carried out once to initialize the 
relationship between C and TTP. The purpose of the registration process is 
to ensure that C has been identified and approved by TTP. In section 4 it is 
specifically used to ensure that both the trusted third party and C share keys 
which are to be used in the case of a dispute. 



Payment The payment phase of the protocol must be conducted for each trans- 
action. It is during this phase that M and the customer exchange goods. 

It is assumed that in this phase C has already gone through a bidding pro- 
cess with M and that the two entities have already settled on the items to be 
purchased and the price to be paid. This process may be as simple as C select- 
ing fixed priced goods from M’s web site. Thus C should already have all the 
information included in m defined above. 

Pl.C M : S(m) 

P2. C ^ M : M verifies interactively that S{m) is valid 
P3.M^C : Ec (Goods) 

PA.C M ■. Sigcim) 

In step PI, C generates a partial signature of the transaction information 
TO. The partial signature must be in such a form that only M can verify its 
correctness. In all our protocols M and C have to interact to verify this partial 
signature and this verification is done in step P2. Another property of the partial 
signature is that the trusted third party must be able to convert it into a normal 
signature which anyone could verify. This property is only used in case of a 
dispute. 

Once M is satisfied that C’s partial signature is valid he sends a signed copy 
of the requested goods to C along with the transaction information. This is done 
in step P3 of the protocol. 
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In step P4, C, on receipt of the goods, sends a normal signature to M. M 
can now show everyone, including the bank, that C has agreed to the transaction 
details in m. In practice M will follow this step with a deposit process, but we 
omit this from further discussion. 

Disputes If M decides not to send C the goods requested in the purchase 
request, C does not send M her full signature approving the transaction. If C 
decides to cheat M by refusing to send her full signature in step P4, M can 
begin the dispute process in which the trusted third party forces the transaction 
to occur. 



Dl. M TTP : SigM{S{m), ETTp{Goods)) 

TTP converts S{m) to Sigc{m) 
D2.TTP^M : Sigcim) 

DS.TTP^C : Ec (Goods) 

In step Dl, M sends to TTP the partial signature S(m) and an encrypted 
copy of the goods ETTp(Goods). The trusted third party can now convert the 
partial signature, which can only be verified by M, into a normal signature which 
anyone can verify. 

In step D2, TTP sends the normal signature to M. TTP also sends the 
goods to C in step T>3, in case M is trying to falsely obtain C’s converter string. 

We assume here that since the goods in question are information (‘soft’) 
goods neither party will gain if the goods are in fact sent twice to C in a dispute 
resolution. In particular for the system to work it is essential that neither party 
should gain from falsely engaging in a dispute. 

One problem that we have not addressed here is what should happen if the 
soft goods become old before they can be used by C, such as might happen with 
travel tickets or betting slips. This is an important issue in practical applications 
although somewhat out of scope of our concern here which is only to ensure that 
M and customer fairly exchange payment for goods. In practice use of validity 
windows and expiry times could solve this problem; for example, TTP would 
use the time of dispute in conjunction with the expiry time of the soft goods 
to resolve the issue. Note that previous fair exchange solutions have also left 
this issue unresolved. Another approach to this problem was taken by Asokan, 
Shoup and Waidner [1] in which users are allowed to send abort messages to 
TTP, which keeps a record of all aborted transactions. 



Security and Efficiency The security of any protocol designed using this 
framework relies on the following properties. 

Property 1. Only C can create the partially signed message S(m). 

If this does not hold a fraudulent customer can impersonate C in step PI 
of the payment protocol by generating the partial signature and illegitimately 
purchase goods. Transactions would be forced despite the denial of C. 
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Property 2. Only M and TTP can confirm that the partial signature generated 
by C is valid or can convert the partial signature into a universally verifiable 
signature. 

In most cases only M needs to verify that C has produced the partial signa- 
ture. If other entities were able to verify C’s partial signature at any time the 
fairness of the payment would not be present and M would have the advantage. 

Property 3. If M accepts the validity of the transaction, then TTP can convert 
partial signature S(m) into a normal signature Sigc(m). 

This property of the protocol ensures that the transaction will be completed 
fairly and that C does not gain an advantage over M. If this property was not 
provided C could refuse to send her signature in step P4 and receive the goods 
without payment. 



3 Solutions using Existing Signatures 

The framework of section 2 is applicable for use with a number of existing con- 
vertible signature algorithms. Due to space limitations we give only a brief out- 
line here to allow room for more detailed discussion of the new protocol in the 
next section. We highlight two distinct options for using the framework. The 
first is to use convertible signature schemes together with verifiable encryption 
while the second is to use designated converter signatures. 

3.1 Convertible Signatures with Verifiable Encryption 

In the first practical convertible undeniable signature scheme of Boyar, Chaum 
and Damgard [3], an undeniable signature consists of a triple (T, r, s) of elements 
in the integers modulo a large prime . The element required to convert such 
a signature into a universally verifiable signature is the discrete log t of T. A 
partial signature can thus be formed by adding a copy of t encrypted with the 
TTP’s public key to the undeniable signature. If the merchant is convinced (i) 
that (T, r, s) is correct and (ii) that the ciphertext really is t encrypted with 
TTP’s public key, then he can be sure that TTP can convert the undeniable 
signature into a universally verifiable one. 

The biggest problem with such a solution is that known protocols for verifi- 
able encryption of discrete logs are not very efficient. For example, the protocol 
of Stadler [17] requires around 40 rounds in its interactive version. Alterna- 
tive, more general, protocols due to Asokan, Shoup and Waidner [1] have the 
same requirement. More recent convertible undeniable protocols, such as those of 
Damgard and Pedersen [6] could also be used in a similar fashion. The problem 

^ It should be noted that although this scheme was successfully attacked by Michels, 
Petersen and Horster [13], the attack only affects the situation where signatures are 
converted all at once and not converted individually as in our application. 
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with all these is to find an efficient verifiable encryption scheme which can be 
matched to the conversion information. This problem is the reason why previous 
fair exchange protocols have not been efficient. 

Some schemes, such as those of Michels and Stadler [14] do not seem ap- 
propriate to use in this way since conversion of individual signatures works by 
converting an interactive proof to a non-interactive one. This means that verifi- 
able encryption of a non-interactive proof would be required to use this method. 

3.2 Designated Converter Signatnres 

Designated converter signatures can be used in a very direct way in the frame- 
work. Confirmation by the customer during payment is essentially identical to 
signature confirmation. TTP takes the role of the designated converter and so 
can complete the dispute procedure when presented with the signature. 

The first designated converter signature protocol proposed by Chaum [4] is 
based on RSA signatures, but these signatures are never used as plain RSA 
signatures in the protocol. Instead the correctness of signatures is linked to 
knowledge of a certain discrete log. The definition also relies on the existence of 
a function which destroys the multiplicative property of RSA signatures while 
at the same time being easy to invert. 

Converted signatures in Chaum’s scheme are not ordinary RSA signatures 
but non-interactive proofs of knowledge of a discrete log. In fact it is impossible 
for the signature owner in Chaum’s scheme to convert signatures in the same way 
as the designated converter. We believe it is important in our application that 
signatures converted either by the owner (merchant) or the designated converter 
(TTP) are indistinguishable. To achieve this in Chaum’s scheme, a signer who 
converts must recalculate a brand new designated converter signature, using a 
designated converter public key for which it knows the corresponding private 
key, and provide a non-interactive proof of correctness. 

Further designated converter signatures were provided by Okamoto [16]. His 
constructions rely on different assumptions from those of Chaum but share the 
same properties that converted signatures are non-interactive proofs and also 
that conversion by owner and designated converter are different. 

In conclusion we may say that use of existing designated converter signatures 
may be used within our framework. These solutions are efficient in that they 
require only two rounds (4 moves) to achieve high security. Their major drawback 
is that converted signatures are not in the form of ordinary RSA or ElGamal-type 
signatures which are likely to be required in electronic commerce schemes. 

4 Offline Fair Payment using RSA Based Designated 
Converter Signatures 

The cryptographic tools used in this new protocol are entirely based on RSA 
public key encryption and signatures. C splits her secret key in such a way that 
TTP is able to complete a partial signature of the customer. TTP can force 
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the transaction to completion by ensuring that a complete signature can be 
generated. 

The scheme is an adaptation of the recent RSA-based undeniable signature 
scheme of Gennaro, Krawczyk and Rabin (GKR) [10]. Although their scheme 
does allow for designated confirmer signatures this still leaves the same draw- 
backs identified in the previous section if used directly for fair exchange, in 
particular converted signatures would not be ordinary RSA signatures. 



4.1 Registration 

This is an efficient protocol requiring only one signature by each party. The 
registration stage of the protocol need only be conducted once (or at periodic 
intervals) and can be used to support any number of payments whether they are 
disputed or not. No state information need be stored by the third party once 
registration is complete. 

C has an RSA key pair consisting of secret exponent d, public exponent e 
and modulus n. In order to use the results of GKR we assume that n is a strong 
prime so that n = pq where p = 2p' + 1 and q = 2q' + 1 for primes p,p' ,q, q' . C’s 
public key is certified by some certification authority which, in general, has no 
connection with TTP, but which can be used by TTP or any merchant to verify 
the correctness of the key. We denote this certificate Certc ■ The certificate must 
assert that the modulus is correctly formed. A method for achieving this is given 
in the GKR paper [10]. 



Rl.C ^ TTP : Certc 

When TTP receives this certificate he generates a random number d\ which 
is less than n. We require that (di,^(n)) = 1 but since (f>{n) = 4p'q' this can be 
practically ensured by demanding that di is odd. This is to be part of the secret 
key which is shared between C and TTP. TTP must be able to reconstruct di 
from the identity of G. A practical way to achieve this without demanding TTP 
to store data for each customer is to make di = 2H {K, G) + 1 where A' is a 
secret known only to TTP and H is a suitable hash function. 

TTP then sends this key encrypted to G. This can be achieved using the 
public key in the certificate Certc- 

R2a. TTP -^C :Ec{di) 

C now calculates the second part of the secret key d 2 such that d\d 2 e = 
1 mod <j){n). C must also create a reference message to and calculate a reference 
signature S{lo) = It is shown by GKR that we may safely choose to = 2. 

The reference message and signature will be used by M to verify that TTP 
knows di and can force a transaction to completion. The reference message and 
signature are sent to TTP. 



R2b. C TTP : to, S{tu) 
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On receipt of the reference message and signature the trusted third party 
checks that the reference signature is valid by verifying that the following equa- 
tion holds: 



jjjqJ fi = LU 

If the equation holds then C must have generated the reference signature 
correctly. TTP then creates a ticket which consists of C’s public keys and the 
reference message and signature. TTP now signs this ticket and sends it to C. 

R2c. TTP C : SigTTp{Certc , S{tu)) 

C can now use this ticket to purchase goods from merchants. TTP’s signature 
is a guarantee to the merchant who receives the ticket that the transaction can 
be completed by TTP if C refuses, or is unable, to complete the transaction. 
This is achieved by proving that a partial signature signed with (I 2 is signed 
with the same exponent as was used to sign S{tu). This is the basis of the GKR 
scheme. 



4.2 Payment 

C has to generate a partial signature of the purchase information S{m) = . 

(Here and below, m denotes m after preprocessing by any desired hashing and 
padding processes which we will not detail here.) C indicates that she wishes 
to conduct a payment by sending the purchase information, a partially signed 
version of the purchase information and the ticket received from TTP to M . 

PI. C ^ M : m, S{m), SigTTp{Certc S{tu)) 

M and C now complete a confirmation protocol which convinces M that 
TTP can complete the transaction. This is exactly the signature confirmation 
protocol of the GKR scheme. An efficient 4-move zero knowledge protocol shown 
below is given in their paper [10]. 

Customer Merchant 

Choose i,j [1..u] 

Set Q = S{my^S{ujy mod n 
Q 

P2a. t 

Set A = 

commit(.4) 

P2b. ^ 

ij 

< 

A 

)■ 

Verify 

A = mod n 



P2c. 

P2d. 
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The function commit is a commitment function to ensure the zero knowl- 
edge property. It may be implemented as a hash or as RSA encryption with an 
unknown secret exponent if it is designed to avoid further security assumptions. 

If M is satisfied the exchange can take place in step P3 and P4 of the 
protocol. 



P3.M : EciGoods) 
PA.C M ■. Sigcim) 



4.3 Disputes 

If C does not complete the protocol by aborting after receiving the goods, M 
contacts TTP to resolve the dispute. M sends to TTP the ticket and signature 
received from C and the goods. 

Dl. M TTP : Certc,m,S{m) 

Ej'TpiGoods) 

TTP first recovers d\ = 2h{K,C) + 1 then calculates S{mY^ . TTP checks 
whether S{mY^ = Sigcim) since Sigc{m) = TTP may also check that 

the description of the goods in m corresponds with Goods sent to TTP. If so, 
TTP accepts the claim of M and proceeds to send Sigcim) to M and the goods 
to C. 



D2. TTP M : Sigcim) 
D3.TTP^C -.EciGoods) 



4.4 Security and Efficiency 

Let us again examine the three security properties for this protocol. It is intu- 
itively reasonable that property 1 holds if RSA signatures are secure. In fact it 
has been shown that breaking a multisignature with two private keys di and d 2 is 
as hard as breaking RSA [9] . The basic idea is that if the multisignature can be 
broken given known signatures and partial signatures then RSA may be broken 
by simulating partial signatures with random di values and complete signatures 
with the public e value. This proof easily can be adapted to include the trusted 
party for whom d 2 is also known. 

Property 2 can also be proven from the security of RSA multisignatures. 
Similar to the above case, an algorithm that can convert a partial signature into 
a complete one can be used to forge ordinary RSA signatures. 

Finally, to prove property 3 we can use the properties of the GKR signature. 
It is proven [10, Theorem 1] that the prover (customer) in the payment protocol 
cannot convince the verifier (merchant) to accept an incorrect signature except 
with negligible probability. Thus the merchant will only accept if 5(m) = 

It must be pointed out that the proofs in GKR only give confidence that 
signatures are true RSA signatures up to multiple by an element of order 2. To 
be precise, it is proven that 5(m) = where a is an element of order at 
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most 2. Thus a customer could give this slight variant instead of the true RSA 
signature. However, in this case, on conversion the third party will obtain 
and can hence obtain a. But there are only two non-trivial elements of order 2 
(since it is certified that n is the product of only two primes) and knowledge of 
one of these, say /3, is sufficient to find a factor (/3 — l,n) of n. Hence, although 
C could attempt to cheat in this way, the result is that the third party can forge 
any signature of C. 

To summarize, we can prove the following. 

Lemma 1. Properties 1, 2 and 3 all hold for the seheme. At the end of the 
transaetion, C obtains the goods if and only if M gains a true RSA signature 
from the eustomer of the order. 

The use of RSA signatures in this protocol allows it to be more efficient than 
protocols using verifiable encryption. Asokan, Shoup and Waidner [1] present a 
general fair exchange protocol which can also be used with a range of signature 
and encryption schemes. This includes a scheme which also uses all RSA sig- 
natures and an encrypted signature verification step. But Asokan, Shoup and 
Waidner’s protocol is less efficient in terms of messages sent by a factor of 10 
when compared to the ones using designated converter signatures. 

5 Acknowledgements 

Thanks to Wenbo Mao for suggesting that we study the area of fair exchange 
protocols. Thanks also to the anonymous referees who found critical typograph- 
ical errors in our manuscript. 



References 

1. N. Asokan, Victor Shoup, and Michael Waidner. Optimistic Fair Exchange of 
Digital Signatures. In Advances in Cryptology - Proceedings of EUROCRYPT ’98, 
pages 591-606, Espoo Finland, May 1998. Springer- Verlag. 

2. Feng Bao, Robert H. Deng, and Wenbo Mao. Efficient and Practical Fair Exchange 
Protocols with Off-line TTP. In Proceedings of the 1998 IEEE Symposium on 
Security and Privacy, 1998. 

3. Joan Boyar, David Chaum, and Ivan Damgard. Convertible Undeniable Signatures. 
In Advances in Cryptology - Proceedings of CRYPTO ’90, pages 189-205. Springer- 
Verlag, 1991. 

4. David Chaum. Designated Confirmer Signatures. In Advances in Cryptology - 
Proceedings of EUROCRYPT ’9f, pages 86-91, Perugia Italy, May 1994. Springer- 
Verlag. 

5. David Chaum and Hans van Antwerpen. Undeniable Signatures. In Advances in 
Cryptology - Proceedings of CRYPTO ’89, pages 212-216, 1989. 

6. Ivan Damgard and Torben Pedersen. New Convertible Undeniable Signature 
Schemes. In Advances in Cryptology - Proceedings of EUROCRYPT ’96, pages 
372-386, Berlin Heidelberg, 1996. Springer- Verlag. 




284 



C. Boyd and E. Foo 



7. T. ElGamal. A Public Key Cryptosystem and a Signature Scheme Based on Dis- 
crete Logarithms. In IEEE Transactions on Information Theory, volume IT-31 (4), 
pages 637-647, 1985. 

8. Matthew K. Franklin and Michael K. Reiter. Fair Exchange with a Semi-Trusted 
Third Party. In Proceedings of the fth ACM Conference on COmputer and Com- 
munications Security, April 1997. 

9. Ravi Ganesan and Yacov Yacobi. A Secure Joint Signature and Key Exchange 
System. Technical report, Bellcore Technical Memorandum, 1994. 

10. Rosario Gennaro, Hugo Krawczyk, and Tal Rabin. RSA-Based Undeniable Signa- 
tures. In Advances in Cryptology - Proceedings of CRYPTO ’97, pages 132-149. 
Springer- Verlag, 1997. 

11. L. C. Guillou and J. J. Quisquater. A Paradoxical Identity-Based Signature Scheme 
Resulting from Zero Knowledge. In Advances in Cryptology - CRYPTO ’88, pages 
216-231. Springer- Verlag, 1988. 

12. Wenbo Mao. Publicly Verifiable Partial Key Escrow. In ACISP’97, pages 240-248. 
Springer- Verlag, 1997. 

13. Markus Michels, Holger Petersen, and Patrick Horster. Breaking and Repairing a 
Convertible Undeniable Signature Scheme. In Proceedings of the 3rd ACM Con- 
ference on Computers and Communications Security, pages 148-152, New Delhi, 
1996. ACM Press. 

14. Markus Michels and Markus Stadler. Efficient Convertible Undeniable Signature 
Schemes. In SAC ’97, 1997. 

15. T. Okamoto and K. Ohta. How to Simultaneously Exchange Secrets by General 
Assumption. In Proceedings of the 2nd ACM Conference on Computer and Com- 
munications Security, pages 184-192, 1994. 

16. Tatsuaki Okamoto. Designated Confirmer Signatures and Public Key Encryption 
are Equivalent. In Advances in Cryptology - Proceedings of CRYPTO ’9f, pages 
61-74, Santa Barbara California, August 1994. Springer- Verlag. 

17. Markus Stadler. Publicly Verifiable Secret Sharing. In Advances in Cryptol- 
ogy - Proceedings of EUROCRYPT ’96, pages 190-199, Berlin Heidelberg, 1996. 
Springer- Verlag. 

18. Jianying Zhou and Dieter Gollman. A Fair Non-repudiation Protocol. In Proceed- 
ings of the 1996 IEEE Symposium on Security and Privacy, pages 55-61, Oakland, 
CA, 1996. IEEE Computer Press. 

A Breaking the Bao, Deng and Mao Fair Exchange 
Protocol 

The second protocol of Bao, Deng and Mao [2] uses verifiable ElGamal encryp- 
tion [7] of a Guillou-Quisquater (GQ) signature [11] to provide fair exchange. 
The system wide public parameters are n,g,q,v where n = PQ is the modulus 
used for GQ signatures and P = 2p'g + 1 and Q = 2pq + 1 where P,Q,p,p' ,q 
are all primes, g is an element of order q and v is the public exponent used for 
GQ signatures. 

A GQ signature of a message M is a pair {d, D) for which d = h{M, D^J'^ mod 
n) where /i is a published one way hash function. In the protocol only D is 
encrypted using the public key PKttp of TTP. ElGamal encryption is used 
to form the ciphertext pair (W,Vttp) = mod n, D{PKttp)^ mod n) for 
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a randomly chosen w. In order to bind D to the ciphertext, the value V = 
D'’ mod n is also calculated and used as part of the ‘challenge’ c generated using 
a hash function %. 



c = n{g, W, (PKTTPr,V^^p/V, a, A) 

where a = mod n and A = PK^V^p mod n for a random value u. Finally the 
‘response’ r = u — cw mod q is calculated. The following parameters are then 
sent from the prover to the verifier. 

M, {W,VTTp),r, c,V,d 

The verifier can use these parameters to ensure that the third party is able 
to decrypt the ElGamal ciphertext {W.Vttp) to obtain the correct D value so 
that (d, D) is the GQ signature of M. 

The attack consists of showing that the verifier is able to calculate PKppp mod 
n and hence decrypt the ElGamal ciphertext to obtain D without the help of 
TTP. In other words the verifier (or any observer) can convert that signature 
without the help of TTP. The main observation is that since PKttp is in 
the orbit of g, to remove exponents of PKttp it is necessary only to invert 
them modulo q (which is known) and not modulo n (which is not known) . Thus 
the verifier first calculates A = {PKppp) J (Vppp IVY mod n = PKppp mod n 
(this is part of the intended verification process). Then the verifier calculates 
A^ mod g ^ j^od Ti and also PKppp mod n. This allows calcu- 

lation of PKppp mod n since the following holds. 

PKppp = PKppp/PK^p mod n 

Einally the verifier obtains {PK^tpY ' ® ^ = PKppp mod n as 

required. 
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Abstract. We propose a new efficient protocol, which allows a pair of 
potentially mistrusting parties to exchange digital signatures over the 
Internet in a fair way, such that after the protocol is running, either each 
party obtains the other’s signature, or neither of them does. The pro- 
tocol relies on an off-line Trusted Third Party (TTP), which does not 
take part in the exchange unless any of the parties behaves improperly 
or other faults occur. Efficiency of the protocol is achieved by using a 
cryptographic primitive, called confirmable signatures (or designated con- 
firmer signatures in its original proposal 0). We recommend using a new 
efficient confirmable signature scheme in the proposed fair exchange pro- 
tocol. This scheme combines the family of discrete logarithm (DL) based 
signature algorithms and a zero-knowledge (ZK) proof on the equality 
of two DLs. The protocol has a practical level of performance: only a 
moderate number of communication rounds and ordinary signatures are 
required. The security of the protocol can be established from that of 
the underlying signature algorithms and that of the ZK proof used. 



1 Introduction 

Since electronic commerce is playing a more and more important role in today’s 
world, a related security issue - how to exchange electronic data, particularly 
digital signatures, between two parties over the Internet in a fair and efficient 
manner - is becoming of more and more importance. Imagine the following scena- 
rio that may happen in, for instance, signing electronic contracts and purchase of 
electronic goods. Two parties Alice and Bob need to exchange their digital sig- 
natures on agreed messages; but neither wants to send her/his signature before 
obtaining the other’s because they do not trust each other. The basic require- 
ment for Alice and Bob on the fairness of exchanging signatures is that either 
each of them gets the other’s signature, or neither of them does. 

1.1 The Related Previous Work 

How to sort out the fair exchange problem has attracted much research atten- 
tion. The original idea for the realisation of fair exchange is that two parties 
“simultaneously” disclose messages by many steps. Two mathematical models 
for realising simultaneous disclosure of messages have been proposed as follows. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 286-|^^^ 1998. 
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The first is a computational model (e.g., [1 Oil 211 511 hK4l,S()) i . In this ap- 
proach, Alice and Bob exchange digital signatures (or agreed secret messages) 
piece by piece (e.g. bit by bit), where the correctness of each bit is verifiable. If 
both of them follow the approach correctly, they will receive the signatures at 
the end of a successful protocol run. If either of them aborts in the middle of 
the protocol running, this early stopper will at most obtain one more bit than 
the other party. This extra bit does not result in a significant advantage in fin- 
ding the remaining secret bits unexchanged. Obviously, a virtue of this approach 
is that Alice and Bob can sort out the fair exchange problem without any in- 
tervention of a third party. The cost of this virtue is in two respects. (1) This 
approach is based on the assumption that Alice and Bob have equal computing 
power. However, this assumption may not be realistic and desirable for them. 
(2) This approach has a poor performance: many rounds (usually hundreds) of 
interactions between them are required. 



The second type of model is a probabilistic model (e.g., ISEH]). For exchan- 
ging signatures on an agreed message, Alice and Bob sign and exchange many 
signatures on different events. Each event has a small probability binding with 
the agreed message. In order to increase the probabilities of their commitment to 
the message, they have to exchange a great number of signatures. This approach 
removes the requirement on equal computing powers of Alice and Bob. But it 
needs intervention of a third party in a weak form. In m, an active third party 
defines the events by broadcasting a random number each day. In jSj, a passive 
third party is invoked, only when a dispute between Alice and Bob occurs, to 
arbitrate the dispute according to a simple computation on events. Similarly to 
the first model, the major drawback of this approach is a poor performance. 



In order to reduce the communicational and computational cost of simul- 
taneous disclosure of messages, recent fair exchange research has proposed a 
variety of interventions of a Trusted Third Party (TTP), which can be on-line 
or off-line. 



In an on-line TTP based approach (e.g. pi lli;iliyiTr) ~l. the TTP, who acts 
as a mediator between Alice and Bob, checks the validity of every transaction 
and then forwards correct data to both parties. The major disadvantage in this 
approach is that the TTP is always involved in the exchange even if both Alice 
and Bob are honest and no fault occurs, so that it results in another big cost of 
maintaining availability of the on-line TTP. 

A number of off-line TTP based approaches have been proposed to reduce 
the requirement of TTP availability. In these approaches, the TTP does not take 
part in normal exchanges, it gets involved only where dishonest parties do not 
perform properly or other faults occur. 

In I lllfij . the TTP provide either of the following two services to guarantee 
the fairness, (i) The TTP is able to undo a transfer of an item, and/or produce 
a replacement for it. (ii) When a misbehaving party gets the other party’s data 
and refuses to give his/her own one, the TTP will issue affidavits attesting to 
what happened. Obviously, neither of these TTP services meets the needs of 
many applications. 




288 



L. Chen 



Bao, Deng and Mao in which is based on the solution of and Asokan, 
Shoup and Waidner in [2 separately proposed a novel off-line TTP based ap- 
proach that uses verifiable public-key encryption to ensure fairness of signature 
exchanges. In Alice first encrypts her ordinary signature under the TTP’s 
public key and demonstrates the correctness of the encryption to Bob via an 
interactive ZK proof. Next Bob sends his ordinary signature to Alice, and Alice 
returns her ordinary one back. If Bob does not receive Alice’s signature correctly, 
he will send Alice’s encrypted signature and his own ordinary signature to the 
TTP. The TTP will do the corresponding decryption and check the validity of 
both signatures. If all the checks pass, the TTP will transfer these two signatures 
between Alice and Bob. 

The approach of jSj is based on a primitive, called a homomorphic inverse 
of a signature (e.g., a DL for DSS uni and Schnorr signatures, and an RSA 
inverse for RSA ^7\ signatures). Alice and Bob first reduce a “promise” of a 
signature to the “promise” of a particular homomorphic inverse. Then, they 
encrypt their promised inverses under the TTP’s public key and demonstrate 
the correctness of the encryption in a non-transferable way to each other. Once 
demonstrated of encryption, they disclose their promised inverses. If anyone of 
them (say Bob) does not receive a correct inverse of the other (Alice), he will send 
the encrypted homomorphic inverse of Alice and a promised inverse of his own 
to the TTP. The TTP will decrypt and check the validity of both signatures. 
After all the checks pass, the TTP will send Alice’s inverse to Bob and then 
record Bob’s one for Alice’s possible requirement. 

Although the idea of using verifiable encryption in an off-line TTP based fair 
exchange is clever, it is difficult to implement this idea in an efficient and generic 
manner because so far there has not been a generic and efficient construction 
of publicly verifiable encryption. A well-known solution of publicly verifiable 
encryption, 1221 , is based on inefficient “cut and choose” method. Bao recently 
in PI proposed a more efficient scheme using Okamoto-Uchiyame trapdoor one- 
way function |2S1, which is not a generic construction. How to design an efficient 
and generic construction of publicly verifiable cryptographic systems is still an 
interesting and hard open problem. 

In order to improve efficiency, ^ recommended the use of a modified Guillou- 
Quisquater signature algorithm m with the ElGamal encryption algorithm m 
This protocol was recently attacked by Boyd and Foo |fi!| as the verifier is able 
to obtain the signer’s signature without the help of TTP. For a more closed look 
at the properties of fair exchange, there is another problem in this protocol that 
the encrypted signature can not be simulated. Again to improve efficiency, | 2 | 
proposed a solution called off-line coupons where each party needs to retrieve the 
TTP’s coupons before starting a fair exchange protocol. Glearly, it will increase 
the cost for maintaining availability and security of the off-line TTP service. 

We finally state, in the author’s view, that the previous work has not pro- 
duced an efficient and widely acceptable approach for fair exchange of digital 
signatures over the Internet. 
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1.2 The New Contribution 

In this paper, we propose a new approach for fair exchange of digital signatures 
which uses verifiable confirmation of signatures in place of verifiable encryption 
of signatures in m- Both verifiable encryption and verifiable confirmation of 
signatures can be used to provide off-line TTP based fair exchange. However, 
the existing constructions of verifiable confirmation are much more efficient and 
generic than that of verifiable encryption. 

The contribution of the paper is organised as two parts. In the first part (the 
next section) we introduce a new off-line TTP modelled fair exchange protocol 
which is based on a cryptographic primitive, called confirmable signatures (or 
designated confirmer signatures in the original proposal |9j|), to guarantee the 
fairness. In this protocol, the TTP acts as a designated confirmer. There is no 
restriction for the protocol as to which confirmable signature scheme will be 
used. In the second part (Section 0|), we present a new realisation of confirmable 
signatures which is constructed by using the family of DL problem based digital 
signature algorithms. It is one of suitable confirmable signature schemes for the 
proposed fair exchange protocol. 

2 Protocol for Fair Exchange 

In this section, we present a fair exchange protocol, which allows a pair of par- 
ties to exchange digital signatures with an off-line TTP’s intervention in a fair 
manner. 

The protocol involves three players: two exchange parties, Alice (A) and Bob 
(B), plus one off-line TTP, Colin (C), who acts as a designated confirmer. Each of 
these players has a secret and public key pair denoted by Sx and Px respectively 
(where X S {A, B, C}), which is used for digital signature and verification. 
Suppose that there exists a secure binding between each player’s identity and 
the corresponding public key. Such a binding may be in the form of a public key 
certificate that was issued by a certification authority. Suppose further that the 
communication channels between these three players are protected to guarantee 
integrity and confidentiality (if required) . 

2.1 Model, Notation and Explanation 

We denote Sigx{m) {X S {A, B, C}) as an ordinary signature on a message 
m signed using Sx, which can be universally verified using Px- We denote 
CSigyim) {Y S {A, B}) as a confirmable signature on m signed using Sy- We 
denote Sta-of -C Sigy (rn) as a validity statement of CSigy{m), for instance, 
in the recommended confirmable signature scheme, as described in Section 
Sta-of JJ Sigy{m) is the equality of two DLs. It can be proved by using either 
Sy or Sc- 

A confirmable signature bound with its statement is universally verifiable 
and is as valid as an ordinary signature. Thus, 

{CSigy{m), Sta-of-CSigy{m)} = Sigy{m)- 
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Without the statement, the binding between Y and CSigyijn) cannot be clai- 
med. 

In order to prove Sta-of JJ Sigyim) from one party (as signer named Y) to 
the other (as verifier) in a non-transferable way, we make use of an interactive 
ZK proof between the two parties, named Confy, which, on common inputs of 
m, Py, Pc, a string Claim and on secret input of Sy, outputs “true” or “false”. 
That is. 



Confy{Stamf JJ Sigy{m)\m, Py , Pc , Claim) = true or false . 

If output is “true”, it is proved that Claim is CSigy(rn); if output is “false”, it 
is proved that Claim is not CSigy{m). 

In a confirmable signature scheme, the confirmer can make either a non- 
transferable confirmation or a transferable confirmation of Sta-of jCSigy{m). 
For the purpose of the proposed fair exchange protocol, we only need the trans- 
ferable one. In the protocol of the next subsection, an ordinary signature on 
Siam f JJ Sigy {m) signed using Sc will be used for the transferable confirmation 
of CSigy{m). A confirmable signature suitable for the proposed fair exchange 
protocol has the following three properties. 

— Invisibility. CSigy{m) can be simulated by using a polynomial-time algo- 
rithm. 

— Unforgeability. No polynomial-time algorithm can forge such a signature that 
can be confirmed to have a validity statement. 

— Undeniability. Signer of CSigy{m) cannot deny having issued this confirma- 
ble signature if CSigy{m) is bound to Sta-of -CSigy{m). 

2.2 The Protocol 

Suppose that Alice and Bob have agreed on a message (such as a contract) 
M . The protocol for fair exchange of signatures on M between Alice and Bob 
proceeds as follows. Without loss of generality, we assume that Alice is the 
protocol initiator. 

Protocol FE 

1. Alice computes her confirmable signature on M, CSigA{M), and sends it to 
Bob. 

2. Alice and Bob run an interactive ZK protocol ConfA, e.g. as described in 
Section El proving Stamf ^CSigA{M). If 

ConfA{Sta.ofJJSigA{M)\M,PA,Pc,CSigA{M)) = false, 

the proof is rejected and the protocol stops. If 

ConfA{Sta.of.CSigA{M)\M,PA,Pc,CSigA{M)) = true. 

Bob computes and sends Alice his ordinary signature SigsiM). 
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3. After receiving SigsiM), Alice verifies whether it is a valid signature. If not, 
Alice halts; if it is valid, Alice accepts the signature, and then computes and 
sends Bob her ordinary signature SigA{M). 

4. Upon the receipt of SigA{M), Bob verifies whether it is a valid one. If it is. 
Bob accepts the signature, and the protocol completes. 

5. If Bob receives an invalid signature or nothing during a designed time period. 
Bob sends both SigsiM) and CSigA{M) to Colin. Colin first checks whether 
SigsiM) is Bob’s valid signature on M, and secondly checks, by using his 
secret key Sc, whether CSigA{M) is Alice’s valid confirmable signature on 
M. If either of these two checks does not pass, Colin does not provide a 
confirmation service. If both of the checks pass, Colin computes and sends 
Bob his signature on Sta-of JJSigA{M), and in the meantime, he forwards 
SigsiM) to Alice. 

2.3 Analysis of Protocol FE 

We now consider the behavior of Alice and Bob. If both of them follow the 
protocol properly, it is easy to see that Alice and Bob will obtain each other’s 
signatures without any involvement of Colin. 

If Bob performs improperly. Bob may send Alice either an incorrect SigsiM) 
or nothing in Item 2. In both of the cases, Alice does not send SigA{M) to Bob 
in Item 3, and Bob has to ask Colin for confirmation of CSigA{M) if he wants 
Alice’s signature. Based on Item 5, Colin makes such a confirmation for Bob 
only if Bob gives a valid SigsiM), which will be forwarded to Alice. 

If Alice does not follow the protocol properly, either of the following two 
situations may happen, (i) Alice sends Bob a non-confirmable signature in Item 
I. In this case, she cannot demonstrate 

ConfA{Sta-of-CSigA{M)\M, Pa, Pc,CSigA{M)) = true 

in Item 2 to Bob. (ii) She sends an invalid SigA{M) or nothing to Bob in Item 
3. In this case. Bob can obtain the confirmation of CSigA{M) from Colin. 

As mentioned earlier, the fairness of exchanging signatures between two par- 
ties means that either each party gets the other’s signature, or neither party 
does. In terms of the definition of fairness, we can conclude that neither Alice 
nor Bob can gain any benefit by performing improperly, so that Protocol FE 
can achieve fair exchange between Alice and Bob. 

However, in Protocol FE, after accepting CSigA{M), Bob has the advantage 
of choosing stop or continuation. If it makes Alice feel unfairly treated, the 
protocol can be slightly changed. Following Alice having proved her confirmable 
signature to Bob, Bob proves his confirmable signature to Alice. Then Alice 
releases her ordinary signature and Bob releases his ordinary one. Both Alice 
and Bob can ask Colin for a confirmation service. As in Protocol FE, Colin 
always makes confirmation of a signature for one party and forwards an ordinary 
signature to another party. Before Colin provides the confirmation, Alice is able 
to ask Colin for invoking abort (i.e. by an abort sub-protocol as in PJ). Here 
Colin needs to maintain an extra record about “abort” and “confirmed” . 
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A normal procedure of the protocol, where there is non-intervention of Co- 
lin, includes only five communication rounds: three rounds for non-transferable 
confirmation of CSigA{M) (Item 1 and 2 by using the recommended scheme of 
Sectionl^; and two rounds for exchange of SigsiM) and SigA{M) (Item 2 and 
3). 

Note that both parties’ identifiers must be indicated in CSigA{M), which 
could be a part of the message M. Otherwise, Colin can know only that Alice 
is one of the exchange parties, and he cannot know who is another. In this 
case, an intruder (who may be Bob’s colluder), given CSigA{M), can obtain the 
confirmation of CSigA{M) from Colin by providing his own signature on M. 
After the protocol is running, Alice will get an unexpected intruder’s signature 
in place of Bob’s one, which is not what she wants. 

Protocol FE can be modified to meet the following different requirements of 
message styles. 

Assume that Alice and Bob want to keep M confidential to Colin. They can 
use a one-way hash function, /i(), and replace M with h{M) in Protocol FE. 

Assume that Alice and Bob want to sign two messages Ma and Mb, where 
both Alice’s signature on Ma and Bob’s signature on Mb can be universally 
verified. In this case Colin should be able to check if he is making a confirmation 
service for a real agreement between Alice and Bob. For this purpose, each file 
signed by one party must include an indicator of the file signed by the other. 
For example, as used in 0, Alice signs M^||/i(Ms) and Bob signs Mb||/i(M^), 
where || denotes concatenation. Otherwise (e.g., Alice and Bob directly sign Ma 
and Mb respectively for such Ma and Mb that have no explicit relationship 
explanation). Bob may send Colin CSigA{MA) with SigB{Mg) for the confir- 
mation service. Finally Bob get a real confirmed signature of Alice, who will get 
only a signature on a meaningless message M'^. Furthermore, if it is required 
that both Ma and Mb are confidential to Colin, Alice and Bob can have extra 
secret and public key pairs for encryption and decryption. In this case, Ma will 
be replaced by encrypted Ma under Bob’s encryption public key and Mb will 
be replaced by encrypted Mb under Alice’s encryption public key as well. 

If it is required with certain applications, the protocol can be modified by 
including multiple confirmers instead of a single one. 



3 A Confirmable Signature Scheme 

The concept and the first realisation of confirmable signatures (or called designa- 
ted confirmer signatures in |0|) was proposed by Chaum, 0, where he presented 
a realisation on the RSA signature algorithm. Following Chaum’s idea, Oka- 
moto proposed a more generic confirmable signature scheme m- However, that 
scheme was later attacked by Michels and Stadler m as the confirmer can forge 
signatures. 

Michels and Stadler also proposed their own confirmable signature scheme 
based on a primitive called the confirmer commitment scheme. The scheme places 
a message in the position of a committal (i.e., commit to a message), and the 
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confirmer is able to prove whether or not a given commitment contains a certain 
message. Using this scheme, two classes of ordinary digital signatures can be 
transformed into related confirmable signatures. The first class consists of the 
signatures that are based on proofs of some particular style of knowledge. Both 
the Schnorr signature and the Fiat-Shamir signature can be used in this way. 
The second class consists of the signatures that have the property of existential 
forgeability. For this kind of signature, an attacker can compute a universally 
verifiable message-signature pair without further constraint on the message. The 
RSA signature and the ElGamal signature are two good examples of this class. 

This section presents a new confirmable signature scheme. In this scheme, 
a confirmable signature contains a validity statement^ which is the equality of 
two DLs, and which can efficiently be proved either via running a ZK protocol, 
or via verifying an ordinary digital signature signed by the confirmer. Any DL 
based signature algorithm and any ZK protocol for proving the equality or the 
inequality of two DLs can be used in this scheme. The security of the scheme 
can be established from that of the underlying signature schemes and that of 
the ZK protocol used. In terms of efficiency the scheme is similar to the most 
efficient one of 1221 , which is based on the Schnorr signature scheme. 



3.1 System Setup 

Let p be a prime, and q be another prime which divides p — 1. Let G =< g > 
be a subgroup of Z* of order q, in which computing DLs is infeasible. Let h{) 
denote a one-way hash function, and a Gr N denote to choose element a from 
the set N at random according to the uniform distribution. 

A confirmable signature scheme involves three players: a Signer (say Alice), 
a Verifier (say Bob) and a designated Confirmer (say Colin). In the proposed 
fair exchange protocol described in Section 12.21 both the exchange parties, Alice 
and Bob, can be such a signer and verifier. 

Alice, as a signer, has a secret and public key pair, denoted by {Sa, Pa)', 
and Colin has another secret and public key pair, denoted by {Sc, Pc)- These 
two key pairs can be generated as follows. Alice chooses x £r Z* as Sa, and 
computes Pa = {g,y) where y = g^ modp. Colin chooses w £r Z* as Sc, and 
computes Pc = {g, z) where z = g'^ mod p. 

A confirmable signature scheme consists of the following two procedures: 
signature issuance and signature confirmation. 



3.2 Signature Issuance 

A signature issuance procedure runs between Alice and Bob. It consists of (i) 
Alice generating CSigA{m); and (ii) Alice demonstrating to Bob that CSigAim) 
is a confirmable signature on a message m. 

To generate CSigA{m), Alice chooses u £r Z*, computes y = y"^ mod p and 
y = mod p. Next she generates a signature on a message m signed using u 
and ux as private keys. The basic idea of this signature is to make a transferable 
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proof that: (i)someone knows how to express y as a, power of y and how to express 
y as a power of z; and (ii)this person has signed m using the DLs of both y to 
the base y and y to the base z as private keys. Any existing secure signature 
algorithm, based on the DL problem, can be used to make this signature. The 
following is an example using the Schnorr signature 1281 . 

ki,k2 Z*, ri = y^^ mod p, T2 = mod p, 
c = h{m, ri,T2), Si = ki — uc mod q, S2 = k2 — uxc mod q, 

CSigAim) = (c, si,S2)- 

The signature verification is to check if 

c= h{m,y‘‘^y^,z’“^y^) 

holds. This signature is universally verifiable. However, because anyone can con- 
struct (c, Si, S2) by randomly choosing y as a power of y and y as a power of z, 
without further proof, no one can see who is the issuer of the signature. 

Proposition 1. The above CSigA{m) is a confirmable signature with a validity 
statement Sta-of JJ SigA{nn) , log^ y = log^ z (modg). 

Proof. On the assumption that a random oracle model holds, the proposition is 
proved if the following three assertions can be proved: (i) given that log^ y = 
logg z, it can be proved that the issuer of CSigA{m) must be Alice; (ii) with- 
out the verification of log^ y = logg z, it cannot be claimed that the issuer of 
CSigA{m) is Alice; (iii) logyP = logg z can independently be verified by Alice 
and Colin. 

By verifying the correctness of the digital signature, it can be proved that 
the issuer of (c, si, S2) must know both logg y, denoted by u, and log^ y, denoted 
by V. The value logg y, denoted by t, must be the product of three values: logg y 
= X, logg y = u, and logg y. If logg y is logg z = w, then t = xuw mod q and 
V = XU mod q. The person who knows v and u must know x. Since x is known 
only to Alice, the issuer of CSigA{m) must be Alice. The first assertion holds. 

Without verifying logg y = logg z, no one can claim that CSigAim) was 
signed by Alice, since anyone knowing y and z is able to generate the signature 
(see the proof of Proposition El of Section l! 01 l . The second assertion holds. 

Colin is able to prove logg y = logg z, because logg z is Sc- Alice can prove 
the knowledge of u and x, and hence she can demonstrate this statement (see 
the next subsection). The third assertion holds. 

According to the definition of a confirmable signature and the above three 
assertions, it has been proved that Sta-of JJ SigAim) is logg y = logg z so that 
CSigAim) is a confirmable signature. The proposition holds. □ 

The following interactive protocol, denoted by CouJa, is used for Alice to 
demonstrate Stam f JJ Sig A{m) to Bob. 

Protocol CouJa 

Suppose that before the protocol starts, both Alice and Bob have y, y and 
CSigAim). 
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1. Alice computes y = mod p and sends it to Bob. 

2. Alice and Bob run an interactive ZK protocol proving 

loggt/ = log^y (modg). 

3. Alice and Bob run an interactive ZK protocol proving 

logy y = logy y (mody). 

4. If both ZK proofs are accepted, Bob is convinced that CSigA{m) is a con- 
firmable signature. Otherwise, the proof is rejected. 

Several efficient ZK protocols for proving equality in DLs, e.g. 120 , can be used 
for the proof. 

Proposition 2. Upon acceptance ofConfA, Alice proves logg z = log^y (mod 
q) to Bob. 

Proof. Suppose y = modp = y^“ modp where u G X*. From the first ZK 
proof. Bob is convinced of y = mod p. From the second ZK proof. Bob 
is convinced of y = y“ = y“’"“(modp). So the proposition follows, i.e. y = 
y’" mod p. □ 

3.3 Signature Confirmation 

In order to let Bob know whether or not a given statement is StaJofJJSigAi'm). 
Colin needs to demonstrate to him either 

logg ^ = logy y (mody), or logy z yf logy y (mody). 

A number of efficient protocols for a ZK proof on the equality or inequality of 
two DLs, e.g. PH, can be used for the proof. Colin can either run an inter- 
active ZK protocol with Bob to make a non-transferable confirmation, or sign 
Sta-of-CSigA{m) for Bob to make a transferable confirmation. For the purpose 
of our fair exchange protocol, we need a transferable confirmation. A number of 
existing efficient interactive protocols for ZK proof of the equality or inequality 
of two DLs can be turned into non-interactive protocols, which can be used. 
The following is one example based on the Schnorr signature PHI’ Colin signs 
(y, z, y, y) using Sc = w hy two ordinary signatures. 

The first signature makes a transferable proof in that there exist two values ri 
and T 2 satisfying ri = g^ mod p and r 2 = y^ mod p where fc G Z*. The signature 
is (c, s') generated as follows. 

k' Gji Z*, r'l = g^' mod p, = y^' mod p, 
c= /i(r( , r^) , s' = k' — kc mod y . 

The signature verification is to check if 



c=h{g^ rl,y‘^ r^) 
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holds. If it does not hold, Bob can claim that Colin did not send a proper 
signature to him. 

Based on acceptance of the first signature, the second signature provides 
a transferable proof on either logg z = log^ y or logg z ^ logg y. The resulting 
signature is (ri,r2,s), where 

s = k + wh{ri,r 2 ) mod q. 

The signature verification is to check if 

g® = riz^^’'^’’'^^(modp), y® = r2y^^'’^’’'^^(modp) 

holds. If the first equality does not hold. Bob can claim that Colin did not send a 
proper signature to him. Otherwise, Bob accepts the conviction of the signature. 
In this case, if the second equality holds. Bob accepts logg z = logg y, and then 
further accepts that the related signature, CSigA{m), is a confirmable one. If the 
second equality does not hold. Bob accepts logg z ^ logg y, and further accepts 
that the related signature is not a confirmable one. 

Note that before generating the above two signatures, Colin may check if 
y = y^ modp holds firstly. If it does hold he can simply make a transferable 
proof on logg z = logg y by using the second signature only. With this signature, 
anybody is able to verify the correctness of Sta-of -C SigA{m) . Hence CSigA{m) 
is universally verifiable. 

3.4 Security of the Scheme 

The confirmable signature scheme, specified above, allows the players of the 
scheme free to choose any DL based signature algorithms and to choose any 
efficient protocols for ZK proof on the equality or the inequality of two DLs. 
As long as the security property of those algorithms and protocols have been 
proved, i.e., (i) the verification of a digital signature is complete and sound; (ii) 
the error probability of an acceptance for a ZK protocol is negligible; (iii) they 
guarantee not to reveal useful information about x and w, the following three 
security properties hold under this scheme. 

Proposition 3. A confirmable signature, CSigAijn) , can be simulated. 

Proof. A simulator, who knows g, y, z, q, p and m, is always able to generate a 
triple (c', s^, in the following way. He/she simply chooses u' Z* and v' 

Z* , computes y' = mod p and ij' = z" mod p, and then signs m using u' 
and v' as private keys, by the same approach described in Section rOl to obtain 
(c', Sj, S2)- For two fixed public keys y and z, and any message m, let A be any 
polynomial-time algorithm which, on input of a signature pair (m,a), outputs 
whether or not (m, a) is valid with respect to y and z. The value 

Pr{A(m, {c' , s^, S2)) = valid} — Pr{A{m, (c, si, S2)) = valid} 



is negligible. 
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Note that there is no binding between and (c, si,S 2 ), hence does not 
reveal any useful information for distinguishing a real CSigAifn) and a simu- 
lated one. Furthermore, the set {g, ,y,y) is indistinguishable from the set 

{g, g^ , ,y' ,y'), otherwise the Decision Difhe-Hellman assumption is not valid 

in the random oracle model. So the proposition holds. □ 



Proposition 4. A confirmable signature, CSigA{na), is unforgeahle, i.e., under 
the assumption on that it is computationally infeasible to compute DL in G, 
there is no polynomial-time algorithm which, on input of y, z, w, and any value 
m' G {0,1}*, outputs CSigA{m'), with respect to y' and y' satisfying logg z = 
logy, y’{modq). 

Proof It has been proved in Proposition Hthat, if log^ z = logy, y', the value 
log,, ij' must be equal to log^ y * logj, y' . If there is a polynomial-time algorithm 
A which, on input of y, z, w and m', outputs CSigA{rn') with respect to y' and 
y' satisfying log^ z = logy, y' , A must be able to obtain log^ y. This contradicts 
the assumption. Hence the proposition holds. □ 

This proposition proves that no one, including the confirmer Colin, is able 
to forge such a confirmable signature, CSigA(jn). 

Proposition 5. A confirmable signature, CSigAijn) , is undeniable. 

Proof. It is impossible for Alice to find any y, y and 1/ G Z* satisfying logg y = 
log^ y, logg y = logg ij and logg z logg ij. As has been proved in Proposition 
n given that logg z = logg ij, only the person knowing logg y is able to make 
CSigA{m), so that Alice cannot deny having issued this confirmable signature. 
Therefore the proposition holds. □ 

4 Conclusions 

Previous work on fair exchange of digital signatures did not produce an efficient 
approach that would be widely acceptable in electronic commerce. This paper 
has proposed a new efficient protocol for fair exchange of digital signatures bet- 
ween two potentially mistrusting parties. In the protocol, a TTP, acting as a 
designated confirmer, is needed only when one of the exchange parties does not 
follow the protocol properly or other fault occurs. This protocol has a practical 
level of performance: only a moderate number of communication rounds (e.g. 5 
rounds for a normal procedure) and ordinary signatures (e.g. two Schnorr sig- 
natures for a confirmable signature and one Schnorr signature for a normal con- 
firmation service) are required. It will be suitable for many electronic commerce 
applications over the Internet, such as contract signing and electronic purchase. 
The fairness property of the protocol is based on verifiable confirmation of digital 
signatures. The paper has presented an efficient and generic confirmable signa- 
ture scheme recommended being used in the proposed fair exchange protocol. 
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Abstract. Oblivious Transfer (OT) is a ubiquitous cryptographic tool 
that is of fundamental importance in secure protocol design. Despite 
extensive research into the design and verification of secure and efficient 
solutions, existing OT protocols enjoy “provable” security only against 
static attacks, in which an adversary must choose in advance whom it 
will corrupt. 

This model severely limits the applicability of OT, since it provides no 
verifiable security against attackers who choose their victims adaptively 
(anytime during or after the protocol) or may even corrupt both players 
(which is not a moot point in a larger network protocol). This issue arises 
even if the communication model provides absolutely secure channels. 
Recent attention has been given to accomplishing adaptive security for 
encryption, multiparty protocols (for n > 3 participants, with faulty 
minority), and zero-knowledge proofs. 

Our work fills the remaining gap by demonstrating the first (provably) 
adaptively secure protocol for OT, and consequently for fully general two- 
party interactive computations. Based on the intractability of discrete 
logarithms, or more generally on a minimally restricted type of one-way 
trapdoor permutation, our protocols provably withstand attacks that 
may compromise Alice or Bob, or both, at any time. 



1 Introduction 

In the Millionaires’ Problem [Yao82a], Alice and Bob wish to determine who 
has more money, without revealing how much each one respectively has. This 
problem is a special case of the more general two-party funetion eomputation 
problem, in which Alice and Bob wish to compute some arbitrary discrete func- 
tion f{x,y), where Alice holds x and Bob holds y, without revealing anything 
more about x and y than what f(x,y) reveals. 

Kilian [K88] provided an elegant general solution based on the fundamental 
primitive known as Oblivious Transfer (OT). Introduced by Rabin [R81], OT 
is a process by which Alice transmits a bit b to Bob over a “noisy” channel: 
Bob learns b with probability 1/2, but Alice does not discover whether Bob 
succeeded or failed in learning b. This simple asymmetry in knowledge provides 
the basis not only for two-party function computation but for a variety of other 
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cryptographic tasks, including bit commitment and zero-knowledge proofs [K88, 
BCC88, GMW87, GMR89], 

Because of its importance, many implementations for OT exist [R81, EGL85, 
BCR86a, BCR86b, BM89, KM089, HL90, dB91, B92], based on a variety of un- 
proven intractability assumptions and providing varying degrees of efficiency and 
security. Some provide unconditional security for Alice; some provide uncondi- 
tional security for Bob. 

For most, a proof of security against static 1-adversaries has been offered 
or is straightforward to construct. In other words, most approaches support a 
case-by-case analysis: an always-honest Alice is protected against Bob (adversary 
corrupted Bob in advance), or an always-honest Bob is protected against Alice 
(adversary corrupted Alice in advance). 

Such verification is technically insufficient, in and of itself, to demonstrate 
security against adaptive attacks. This does not immediately provide a means to 
break existing protocols, but it does mean that they remain at best intuitively 
secure. Worse, a partial verification {i.e. for static attacks only) is misleading 
when it suggests robustness against adaptive attacks. 

In addition, certain applications of OT protocols introduce dangerous log- 
ical deficiencies, even when only static adversaries are involved. That is, if a 
statically- verified OT protocol is used in a non-black-box manner within a larger 
protocol, then the “obvious” deduction that the larger protocol is secure against 
merely static attacks may be dangerously incorrect. (See §1.4.) 

To utilize Kilian’s foundational result in the most robust and general fashion, 
an OT implementation is needed that enjoys a proof of security against adaptive 
2-attacks. This paper provides such an implementation for the first time, and it 
uses common intractability assumptions. 



1.1 Network Security and Adaptive Attacks 

What is Adaptive Seeurity? Unlike static adversaries, adaptive adversaries are 
able to corrupt one or more players at any time during or after a protocol. 

Often, security is argued through a simulator-based approach a la Gold- 
wasser, Micali and Backoff [GMR89] (c/. [MR91, B91]). A simulator S is given 
access to some ideal setting {e.g., the rock-hard exterior of an absolutely secure 
channel) , and it must provide a realistic virtual environment for the adversary. If 
the adversary cannot tell the difference between this environment and an actual 
execution, then the actual execution does not leak any more information (or 
provide more influence on results) than the ideal setting. 

Encryption over public channels provides the simplest illustration of the pro- 
cess. A static security proof typically arranges for S to create a fake encryption^ 
E{k, 0,r) of 0. In accomplishing this, S clearly needs (and is granted) no access 
to the message protected by the ideal channel. 

^ It is convenient to consider just public-key encryption, although even private-key 
encryption such as DES suffers the same problems with adaptive attacks. Here, k is 
an encryption key; r is a random string. 
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If an adversary can later corrupt the sender, then it (as well as S) is now 
entitled to learn the cleartext, m. But because S cannot generally find k' and/or 
r' such that E{k',m,r') = E{k,0,r), an adversary can easily detect the in- 
consistency. Resetting the adversary is not viable, either, particularly when in 
the meantime it has examined thousands of other (simulated) messages being 
delivered within a larger-scale interaction. 

Even if S uses a random or cleverly chosen message m' instead of 0, it is 
highly likely that it will be mistaken. The very security of the ideal channel 
itself makes this problem fundamentally inevitable. 

Why is Adaptive Security Important? At first glance, the distinction seems an 
obscure technicality. In reality, however, adaptive security reflects a more natural 
and applicable threat model. Although analyzing a protocol according to each 
possible corruption pattern appears to be a convincing argument for security, 
the fundamental problem is that real-world attackers need not choose in advance 
whom they will corrupt; nor are they restricted to corrupting at most one party. 

These factors are particularly evident when OT (or encryption) is used as a 
pluggable component in a larger-scale protocol involving many parties. Any par- 
ticular OT execution might be overrun by an adversary who eventually chooses 
to corrupt both parties - whether immediately or later. 

The technical issue would be moot if there were an obvious mapping from 
static arguments to the adaptive case. No such mapping is known. Indeed, the 
opposite seems to be true for certain protocols, which enjoy proofs of static 
security but are unlikely to enjoy proofs of adaptive security, at least using 
simulator-based approaches [B95a, B96]. 

What are the Obstacles? Even though computational encryption makes it diffi- 
cult to discover the cleartext, it binds the sender and receiver to the cleartext. 
That is, because there is no equivocation of the message given the cleartext, nei- 
ther sender nor receiver can find a different key or random input to map the 
ciphertext to a different cleartext. 

This holdover from Shannon is a curse on adaptive security in the computa- 
tional setting. Not only are the sender and receiver bound to the cleartext (even 
though hidden!), so is the simulator iiseli. 

1.2 Specifics of Oblivious Transfer 

Eor OT, the ideal setting contains a trusted third party who receives b from Alice 
and decides randomly whether to send (0,0) or (1,6) to Bob. The simulator can 
inspect and control those ideal parties (Alice/Bob) if and precisely when the 
adversary has requested their corruption. 

In particular, S must provide a view of the conversation between A and B 
over a public channel, even before any corruptions have been requested. When 
Alice (or Bob) is then corrupted, S should “back-patch” its view to show an 
internal history of Alice (or Bob) that is consistent with the conversation. Eor 
security against 2-adversaries, S must also be prepared to provide a fake history 
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for Bob (resp. Alice) in the future, if the adversary Adv later requests a second 
corruption. 

Example. For concreteness, consider Rabin’s OT protocol [R81]. Alice generates 
n = pg as a product of large Blum primes, then sends n and (for simplicity, 
say) s = (— l)^r^ mod n to Bob, for a random r mod n. Bob chooses a secret 
X mod n and sends z = mod n to Alice. Alice chooses one of the four square 
roots {x,—x,y,—y} of 2 : and sends it to Bob. If Alice chose ±x, Bob learns 
nothing, but if Alice chose ±y, Bob can factor n and discover b. 

Now, say that Adv corrupts “real” Bob. Even if the whole conversation had 
been encrypted, Adv now learns the traffic described above, and S must simulate 
it. S is entitled to learn what a trusted third party handed over to “ideal” Bob 
in the ideal case. With probability 1/2, S failed to learn b, yet it must present 
Adv with some s. 

We might try the approach that seems to suffice for the static case: just make 
s up using a guessed b, and Adv will never know the difference. But Adv may 
choose to corrupt “real” Alice a hundred years later (even for reasons completely 
independent of this OT execution), at which point S has to report a consistent 
internal history for Alice. Indeed, S is now entitled to learn b by corrupting the 
“ideal” Alice. But the fake value of s can be “decoded” in only one way, and 
with probability 1/2, 5’s earlier faked value will be inconsistent with b, causing 
the simulation to fail.^ 

1.3 Adaptive Security: Related Work 

The fundamental importance of adaptively-secme solutions is underlined by re- 
cent solutions for several fundamental cryptographic tasks, including: 

— Encryption [CFGN96] 

— Multiparty computation (for n > 3) [CFGN96] 

— Zero-knowledge proofs and arguments [B95a] (cf. [BCC88, FS90a]) 

— Bit committal [B95aJ {cf. [BCC88, FS90a]) 

Erasing. Simulation can be finessed in settings where erasing internal informa- 
tion is allowed [BH92, F88]. By deleting sensitive information, players remove 
the evidence that might otherwise indicate a simulator’s mistaken guess. If a pri- 
vate key is no longer available, then the adversarial view, although information- 
theoretically improper, will reveal no contradiction. 

Eake Ciphertexts with Equivocation. Using public channels while maintaining 
complete internal records is a significantly greater challenge. Recently, Canetti, 
Feige, Goldreich and Naor [CFGN96] developed a secure encryption scheme with- 
out erasing, based on honest parties’ refraining from learning certain bits. This 

® A simulator for the static case doesn’t ever have to face this possibility; it only 
produces fake information for Alice when Alice is corrupt from the start, in which 
case it knows b already. 
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important idea enables the simulator to construct fake ciphertexts that can be 
made consistent with either 0 or 1. 

Naturally, the facsimiles are imperfect (otherwise a receiver could not tell 
whether the message was 0 or 1), but it is computationally difficult to distinguish 
them from actual ciphertexts. 

1.4 Previous Work Insufficient for OT 

There is good reason why OT is conspicuously missing from the preceding 
list. Generally speaking, the earlier settings demand at most one-sided privacy, 
whereas OT requires two-sided privacy. 

That is, in earlier settings, at most one of the parties is hiding in- 
formation from the other. Therefore S holds no information from the 
ideal setting, until it gains all information as soon as a sensitive party 
(sender/receiver/prover/committer) is corrupted. Thus, S need only prepare for 
one “surprise” event, namely when it suddenly gains the private information and 
must back-patch its current simulation. 

In OT, however, each party withholds information from the other. Achiev- 
ing equivocation in both directions simultaneously is a significantly different and 
harder task. The simulator must be prepared to back-patch flexibly with two 
kinds of newly-gained data, depending on which player is first compromised. 
Even thereafter, the ongoing simulation must still be prepared for an eventual 
back-patching needed to show consistency with the still-unknown data held by 
the other player. This remains true even if the interaction occurs over an abso- 
lutely secure channel. 

Two-Sided Equivoeation. Beaver recently characterized two equivocation prop- 
erties for OT [B96]: An OT implementation is content-equivocable"^ (C.E.) 
if S can generate views (whether or not B is yet corrupt) so that if A is sud- 
denly corrupted, the views can be made consistent with A having transmitted 
6 = 0 or 6 = 1. Likewise, the implementation is result-equivocable (R.E.) if S 
can patch a view consistently with “received” or “didn’t receive” when Bob is 
suddenly corrupted. 

Weaker equivocation properties are also useful to consider, particularly when 
the traffic itself between A and B is also encrypted. An OT protocol is weakly 
content-equivocable if S need do the appropriate patching only when Bob is 
already corrupt. An OT protocol is weakly result-equivocable if S need do 
the appropriate patching only when Alice is already corrupt. 

Eor example, the Rabin protocol is result-equivocable but not weakly 
content-equivocable. According to need, S can use an appropriate choice from 
{x, —X, y, —y} as the “actual” x that Bob chose, thereby switching whether Bob 
received b or not. But as described earlier, the announced value of s prevents S 
from adapting b itself. 

* The term “equivocable” means “can be made to appear equivocal.” Equivocal ci- 
phertexts convey no information and are useless for communication; but equivocal 
facsimiles enable flexible back-patching. 
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Weak content-equivocation is virtually identical to the “chameleon” property 
[BCC88] for bit commitment. Unfortunately, the methods in [BCC88] do not 
generalize to achieve both C.E. and R.E. properties simultaneously for OT. 

Notably, no known OT protocol is both weakly content- and weakly 
result- equivocable [B96]. This includes the protocols described in Rabin [R81], 
Even/Goldreich/Lempel [EGL85], Goldreich/Micali/Wigderson [GMW87], Bel- 
lare/Micali [BM89], Den Boer [dB91], and Beaver [B96]. 

Insufficiencies for Static Attacks. Even ignoring adaptive attacks altogether, 
there are subtle dangers in using OT protocols in larger protocols. Unless the 
protocol is used in a black-box manner, it can be incorrect to deduce that a 
larger protocol is secure against merely static attacks based on a proof that the 
OT subprotocol is secure against static attacks. 

As an illustration, recall Rabin’s protocol for OT, in the case where Alice 
is honest, i.e. where S does not have access to b. If S uses the encryption-style 
simulation, it sets 6 = 0 (or guesses a random b). 

Now, imagine using this kind of OT protocol for commitment purposes, to tie 
Alice to each bit b. As long as Alice does not ever reveal the r value, it is always 
possible to “reveal” a b' value that is inconsistent with s = (— l)^r^. (Discovering 
this inconsistency is just the Quadratic Residuosity problem.) 

A “black-box” use of OT would never instruct Alice to “decommit” b by 
revealing r. (Thus, even if b is revealed later in a larger protocol, it remains 
infeasible to detect whether 5’s facsimile has the wrong quadratic residuosity.) 
But a less well-bred protocol might indeed use this attractive ability to decommit 
b. In that case, it would be incorrect to extend a claim of security to the larger 
protocol, even against static attacks. This is because the quadratic residuosity 
of the simulator’s fake s value will match an unknown b value only half the time, 
and iS’s attempts at simulation will fail. This problem is particularly acute where 
encryptions are used as committals in such a non-black-box way. 

Again, the protocol may not be obviously breakable, but the deduction that 
it is provably secure would be incorrect. 

1.5 Results 

Our results are complementary to recent advances in adaptive security in the 
related but distinct domains of encryption, proofs and committal. 

We give the first known protocol for Oblivious Transfer that admits a proof 
of security against attacks by adaptive 2-adversaries: 

Theorem 1. There exists an implementation of Oblivious Transfer that is secure 
against adaptive 2 -adversaries, if the Diffie-Hellman Assumption holds. 

Our methods require a small constant number of exponentiations and are com- 
parable to the complexity of statically-secure OT implementations. 

Similar results hold for other cryptographic assumptions such as the in- 
tractability of factoring or breaking RSA. More generally, they hold for a slightly 
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restricted type of one-way trapdoor permutation, one which allows the selection 
of a permutation without knowing the trapdoor [CFGN96]. 

Although secure channels are insufficient, we make use of methods in [B97] 
that employ (statically-secure) key exchange in a bizarre fashion, intentionally 
revealing the keys that are mutually generated. 

Contents. §2 describes notation, formalities, and OT variants. §3 presents our 
solution based on the Diffie-Hellman assumption. §4 describes a proof of security 
against adaptive attacks. §5 discusses generalizations of the techniques. 

2 Background and Notation 

Notation. Let $(5) denote the uniformly random distribution over finite set S. 
Let p be a prime. Let Z*={l,2,...,p— 1} and let Zp_i = {0, 1, 2, ... ,p — 2}. 

Attaeks: Statie or Adaptive. An adversary is a probabilistic poly-time TM 
(PPTM) that issues two sorts of messages: “eorrupt i,” “send m from i to j.” It 
receives two sorts of responses: “view ofi,” “reeeive m from j to i.” Whether its 
send/receive message is honored depends on whether it has issued a request to 
corrupt i. 

A static t-adversary is an adversary who issues up to t eorrupt requests 
before the protocol starts. An adaptive t-adversary may issue up to t such 
requests at any time. 

OT speeifieation. The specification protocol for OT is a three-party pro- 
tocol consisting of A, B, and incorruptible party OT. A has input b, which it 
is instructed to send to OT. OT flips a coin, ?b, and sends (?6, lb A b) to B.^ 
The communication channels between A and OT and between OT and B are 
absolutely private. 

We also consider two variants on OT: one-out-of-two OT (iOT), in which 
Alice holds (bo,bi) and Bob receives (c,bc) for a random c unknown to Alice 
[EGL85]; and chosen one-out-of-two OT ((?)OT), in which Alice holds (bo,bi) 
and Bob receives be for a c of his choice, but unknown to Alice. 

Simulation-based seeurity. The definition of simulator-based static security is 
the standard approach: find an appropriate simulator for the case in which Alice 
is bad, and another simulator for when Bob is bad. We focus on the adaptive 
case. 

In the adaptive case, there is a single simulator, S, who receives requests 
from and delivers responses to the attacker, Adv, creating an environment for 
Adv as though Adv were attacking a given implementation. S is itself an attacker 
acting within the specification protocol for OT, which is run with A on input 
b. When Adv corrupts player i, S issues a corruption request and is given i’s 

® Thus, (0,0) means “failed,” while (1,6) means “received 6.” 
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information.® S responds to Adv with a facsimile of the “view ofi” response that 
Adv expects. S receives all of Adv’s “send to” requests and provides Adv with 
facsimiles of “reeeive to” responses. Finally, Adv (or S on Adv’s behalf) writes 
its output, ^Adv 

Let Adv, with auxiliary input a; Adv, attack a given OT implementa- 
tion OT in which Alice holds input b. The execution induces a distribution 
(A(b),B,kdv(xMv)) on output triples, (yA,yB,ykdv)- 

Let iS(Adv(a;Adv)) attack the OT specification. The execution induces a dis- 
tribution (A(b), B,S(kdv(xnd-^))) on output triples, (y^,yjj,ys)- 

An extra, “security parameter” k may be included. This provides a sequence 
of distributions on output triples in each scenario. Let « denote eomputational 
indistinguishability, a notion whose formal definition is omitted for reasons of 
space (c/. [GMR89]). 

The implementation OT is secure against adaptive t-adversaries if, for 
any adaptive t-adversary Adv, there is a PPTM simulator S such that for any 
b, (A(6), B, Adv(a;Adv)) ~ (A{b), B ,S{kdv{xMv)))- In other words, the simulator 
maps attacks on the implementation to equivalent attacks on the specification. 

Assumptions. Let p be a “safe” prime, namely p — 1 = 2 q, where q are prime. 
Let ^ be a generator of Z*, and define g = modp; g generates a subgroup 
denoted {g). 

In the DifRe-Hellman protocol, Alice selects an exponent a t— $(Zp_i) 
and sends a; t— gi® mod p to Bob. Alice selects b t— $(Zp_i) and sends y t— 
g’’ mod p to Bob. Alice and Bob then individually calculate the shared “key” 
2; = g^’’ mod p. (Alice uses z y^ and Bob uses 2: t— a;^.) 

Define the DifRe-Hellman distribution Dp as the triple of random vari- 
ables (x,y,z) obtained from an execution of the DH protocol by honest parties. 

The Decision DifRe-Hellman Assumption (DDHA) can be described as 
follows: 

(DDHA) Let p be a safe prime and g a subgroup generator selected 
as described above. Then Dp is computationally indistinguishable from 
m9))M{9))M{9)))- 

Note that without the precaution of moving to a subgroup, typical Diffie-Hellman 
triples can be distinguished from three random elements. The quadratic resid- 
uosity of g^’’ can be deduced from that of g^ and g’’ , hence a random element 
would be distinguishable from <7®^. 

3 Solution Employing DifRe-Hellman 

By Crepeau’s reductions, it suffices to implement (i)OT [C87]. Alice and Bob 
attempt to set up a valid (i)OT execution on random bits, as in [B95b]: if 
successful, they can later apply this execution to the desired input bits. 

® i is a player in the specification protocol and is unaware of messages being passed in 
a given implementation. In particular, A knows only its input b (and its message to 
OT), and B knows only its message from OT. 
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The attempt consists of four invocations of the Diffie-Hellman key-exchange 
protocol [DH76], some of which are “garbled” according to Beaver’s approach 
[B97]. If an appropriate invocation remains ungarbled, then Alice and Bob have 
established a valid (i) OT execution, otherwise they must try again. 



3.1 Honest Players 

Assuming initially that neither Alice nor Bob misbehaves, a simple overview is 
possible. Essentially, Alice encodes bits bo and b\ using a 2 x 2 table cty of bits, 
where cty = 0 iff 6, = j. Bob encodes a choice c and mask m using a table /3y, 
where Pcm = 0 and all other values are 1. They engage in four DH executions, 
some of which are garbled. Alice “garbles” whenever = 1 and Bob “garbles” 
whenever /3y = 1. Bob can detect when they both left instance cm ungarbled, 
in which case acm = 0, hence b^ = m. Otherwise, Bob requests a retry. 

The “garbling” of the Diffie-Hellman protocol occurs in one of two ways. 
Instead of choosing an exponent e and computing r = , & player can choose 

r directly without knowing its discrete logarithm. (Thus, the player will be un- 
able to calculate or verify the final DH key, Second, a player can garble 

by likewise choosing a uniformly random residue whose discrete logarithm 
is unknown. In particular, define the following random variables, which either 
report a deterministic output or produce a uniform, garbled distribution: 



G(cr,s) = I 
G{a,s,r) = I 



$(Z;) ifcr = 0 
g^ mod p if (T = 1 

($(z;),$(z;)) if <7 = 0 

(g^ mod p, mod p) if <r = 1 



The first version is for the player who sends out the initial DH message (Alice, 
in the original DH protocol; but this will vary below), having made choice <r 
whether to garble or not. The second version is for the player who responds, 
having made his own choice <r about whether to garble or not. 

Fig. 1 describes the details of the protocol. 



Why Garble? Recall that the simulator S plays the hand of an honest player 
(within the proposed OT protocol) when it constructs an environment for the 
adversary. But S can play that hand dishonestly (for the desired purpose of 
deceiving an attacker, after all!), by always producing ungarbled instances. By 
withholding suitable exponents, S can nevertheless make any ungarbled instance 
look garbled, since no computationally-bounded judge can detect the difference 
between four DH triples (fake distribution) and four triples of which one is DH 
and three are wholly random (real distribution). This remains true even when 
the adversary obtains all information that Alice and Bob would hold; S keeps 
the logarithms up his sleeve. 
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3.2 Malicious Players 

Although these techniques are strongly motivated by the application of DH to 
adaptively-secure encryption in [B97], note that they suffice only for the case 
of honest players. Malicious misbehavior is of little concern in encryption {i.e. 
it can be handled trivially), where the sender generally has little to gain by 
causing the receiver to accept nonsense messages. Here, however, both sender 
and receiver have something to gain by misbehaving. 

Protecting against malicious behavior will consist of two parts: (1) using com- 
mittal to enable suitable random number generation; (2) using zero-knowledge 
proofs of knowledge (ZKPK’s) to extract effective values and ensure compliance 
with the rules (c/. [GMW86, TW87]). 

The central problem with this “obvious” cryptographic solution is that the 
commitments and ZKPK’s might defeat the simulator’s ability to provide equiv- 
ocal facsimiles. Thus, the tricks of [B97] are insufficient, by themselves, to achieve 
our desired goal. 

By [B95a], however, it suffices to employ committals that are weakly content- 
equivocable (a.k.a. chameleon [BCC88], a.k.a. trapdoor [FS90b]). That is, the 
“receiver” should be able to “open” the committed bits to 0 or to 1, using 
knowledge held by the receiver. 

Brassard, Chaum and Crepeau provide a discrete-logarithm-based implemen- 
tation of chameleon blobs [BCC88]. This commitment scheme enables the sim- 
ulator to extract the effective aij/(3ij values used by the adversary. 

To complete the discrete-logarithm-based solution, we add the following 
straightforward complications (c/. [GMW87]). The random values Oy and fey- 
are constructed from precursors: Oy <r- aP -I- Any-; fey <r- feP -I- Afey . Alice com- 
mits to aP and Afey, and Bob commits conversely. They then reveal the Any, 
Abij values and proceed as before. (The guaranteed randomization of the ay’s 
and Pij’s is similar.) Each party must then give a ZKPK that they used the 
proper Oy, ay, or fey, /3y value. Bob must give a ZKPK that == Zcm- 

4 Proving Security 

Recall that S must simultaneously create a fake environment for Adv while “at- 
tacking” an execution of the ideal specification. 

Actions in the Ideal Setting. When S engages in an extraction of knowledge 
from Adv that fails, S then deliberately aborts the ideal protocol. (This reflects a 
malicious adversary’s rightful ability to stop participating.) When the extraction 
succeeds, S uses the value on behalf of the corrupt A or B in the ideal protocol. 



4.1 Equivocation 

We first sketch how the weak equivocation properties are satisfied when Alice or 
Bob are initially corrupted, and then discuss strong equivocation. 
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OT-Honest 

0 . Public: prime p, generator g mod p 

1 . 1 . B: c t— $( 0 , 1 ), m t— $( 0 , 1 ) // choice and mask 

for i = 0, 1, j = 0, 1: 

if {i == c and j == m) then (iij •«— 1 else (iij t— 0 
bij ^ $(Zp_i) 

Uij t— G{Pij ,bij) 

1 . 2 . B— >A: yoo,yoi,yio,yii 

2 . 1 . A: mo <— $( 0 , 1 ), mi t— $( 0 , 1 ) // masks for transferred bits 

for i = 0, 1, j = 0, 1: 

if 0 == then aij t— 1 else aij t— 0 

dij t 

{xij , Zij ) t— G{aij , a,j , ytj ) 

2 . 2 . A— >B: 2:00,2:01,2:10,2:11,2:00,2:01,2:10,2:11 

3 . 1 . B: if (2:*^ == Zcm) then s •«— 1 else s t— 0 

3 . 2 . B— >A: s //success if 1 

//To use successful attempts (after [B 96 ]): 

51.1. B: get input choice G 

7 = (7 © c 

51. 2 . B^-A: 7 

5 2 . 1 . A: get input bits Mo, Ml 

Wo Mo © mj 
wi t— Ml © mi-j 

5 2 . 2 . A— >B: wo,wi 

S 3 . 1 . B: Mc<—wc(Bm 

Fig. 1 . Adaptively secure chosen-l/ 2 -OT, for honest players. 

Weak Result Equivoeation. Assume that Alice is passively corrupted. To simulate 
Bob, generate hij t— $(Zp_i), but do not choose the /J^’s yet. Set yij t— , 
and hand these values to adversary Adv. 

Extract Adv’s choices for from its proof of knowledge. Select s t— $(0, 1). 
If the attempt is to fail (s = 0), then choose the Pij’s conditioned on failure. 
In particular, let mo, mi be such that aomo = crimi = 1-^ ^6t c t— $(0,1) 
and take m t— 1 — TOc, which enforces a failure. Set Pcm 1 and /3y t— 0 
for (i,j) (c,m). Set bcm f— bcm (which conveniently makes Ucm == 

and bij t— y^j for (i,j) ^ (c,m). Thus, even though the three values were 
chosen with known discrete logarithms {i.e. known to the simulator), it appears 
as though they were chosen directly at random. 

If the attempt is to succeed (s = 1), then we must enable result-equivocation. 
The nontrivial case occurs when Bob is corrupted after a successful transmission. 
(The analysis is similar, indeed trivial, if no bit has been transmitted.) The values 
wo,w\ are obtained from Alice. Because Bob is now corrupt, the simulator is 

’’ Actually, mo, mi may be read directly from the honest machine. Otherwise, they are 
calculated from the extracted aij values. 
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entitled to learn the choice C that Bob made, along with the transmitted bit 
Me- Set c t— C © 7 and nic f— Me © wc- Set Pem 1 and /3y t— 0 for 
(i,j) {c,m). Set bem f— bem (which conveniently makes Uem == and 

bij f— Vij for (i,j) ^ {c,m). Again, even though the three bij values were chosen 
with known discrete logarithms, it appears as though they were chosen directly 
at random. 

Weak Content Equivoeation. Assume that Bob is passively corrupted. Extract 
c, TO such that j3cm = 1. To simulate Alice, simply follow Alice’s program, except 
for the calculation of (xij,Zij). Instead of using (xij,Zij) t— G(aij ,aij,yij), set 
{xij,Zij) t— for randomly selected dy t— $(Zp_i). 

In case of failure {acm = 0), simply withhold the known discrete logarithms. 
That is, set Uo,mo f ^0,mo7 ^0,1 — mo f ^0,1 — mo 7 ^l,mi f ^ 1,1 — mi f 

^1,1 — mi • 

In case of success {acm = 1), withhold one of the discrete logarithms by 
setting Ocm ^cm, cic.i-m a;c,i-m- (The other pair remains “indeterminate” 
for now, so the simulator can withhold the discrete logarithm of either member 
of the pair, thereby effectively reversing the unknown bit.) Obtain Bob’s final 
choice C and the value Me he is entitled to learn. Set we f— Me ©to but w\-e f— 
$(0, 1) (this corresponds to the masked, unchosen bit Mi_e). When Alice is later 
corrupted and bit Mi_e is obtained, equivocate w\-e as follows. Calculate 
TOi_c f— wi-e © Mi_e, and set Q!i_c,mi_c cii-c,i-mi_c Oj Withhold 

a second discrete logarithm by taking ai-c,mi_c di_c,mi_cj oi-c,i-mi_c 

^1 — c,l — mi_c ■ 

Strong Equivoeation. Note that in the absence of corruptions, iS’s calculations 
and “public traffic” will be consistent with the steps described above for both 
Alice and Bob. Thus, until Adv makes its first corruption request, S follows the 
steps described above for both Alice and Bob. If Alice is corrupted first, S follows 
the weak R.E. steps to create Alice’s view, then continues with the weak C.E. 
steps. If Bob is corrupted first, the converse programs are followed. 

4.2 Reduction to Diffie-Hellman (DDHA) 

The distribution that Adv obtains by interacting with the simulator differs from 
that obtained in a regular execution in precisely one way: for certain triples 
{xij,yij,Zij), the fake distribution follows the correlated Diffie-Hellman distri- 
bution Dp, whereas the “real-life” distribution contains three fully independent 
random variables. 

These triples occur only in successful attempts, and only on indices where 
neither Alice nor Bob has chosen to know the discrete logarithm. That is, neither 
logg Xij nor logg yij is known to Alice or Bob, and in particular, Adv nener learns 
them as a result of corrupting Alice or Bob. 

Straightforward arguments (see [B97], for example) show that distinguishing 
the simulator’s faked view from an actual view would enable distinguishing Dp 
from independently-random triples, violating the DDHA. 
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Note in particular that this is why failed attempts must be fully discarded.® 
If the protocol were changed to capitalize on mismatched attempts (intuitively, 
Alice’s index choice remains secret and known only to the two of them even in 
case of mismatch!) the simulator proof would fail. For instance, if Bob knows 
\oggXij, the simulation would be detectably fake, because Zij = would 

hold in the simulated cases. 

5 Generalizations and Applications 

To use other intractability assumptions, such as RSA or factoring, a suitable 
key-exchange construction suffices. In particular, the dense secure public-key 
cryptosystems of DeSantis and Persiano are appropriate [DP92]. 

General Assumptions. A more general construction (c/. [DP92, CFGN96]) em- 
ploys one-way trapdoor permutation families with the property that permuta- 
tions can also be generated (indistinguishably) without simultaneously generat- 
ing a trapdoor. Two modifications are needed. 

First, in the honest OT protocol, Alice and Bob respectively choose and 
report four permutations, /y, Qij. For garbled channels, each generates the per- 
mutation without the trapdoor, and sends random numbers. For ungarbled chan- 
nels, each chooses an accompanying trapdoor. Bob sends yij t— fij{bij)', Alice 
returns Zij t— {yij))- Note that Zij = hij precisely when Alice and Bob 

garble the same channel. 

Second, malicious behavior is again resisted through ZKPK’s; the gen- 
eral constructions of Feige and Shamir [FS90a, FS90b] provide the needed 
trapdoor/chameleon/weak-equivocation property. 

Third Parties. When third parties are available - as in the case of a multiparty 
computation - one-way trapdoor permutations without the extra oblivious- 
generation property can be used. These third parties need not be individually 
trusted, but at least one of them must remain honest. We also require a broadcast 
channel. 

As in the clever construction used in [CFGN96] for encryption, the ultimate 
permutations are composed of permutations generated by the third parties, who 
allow Bob and Alice to learn trapdoors selectively. Receiver Bob learns one of four 
(rather than of two) trapdoors by way of EGL/GMW (i)OT. Unlike [CFGN96], 
however. Sender Alice also learns trapdoors: one from each of two pairs. The 
remainder of the protocol follows the Diffie-Hellman solution proposed in this 
work. Malicious behavior is avoided through network-based commitment and 
proofs, which do not require the set of faults to be a minority. 

® Note: this does not mean erased; the simulator is choosing what to place in the details 
of a full player history. To simulate a failed attempt, the simulator behaves perfectly 
accurately on behalf of any corrupt party /parties. Only the successful attempts suffer 
any mathematical (but still negligible) distinction from the real-life distribution. 
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Although this approach relies on a weaker assumption, it is far less effi- 
cient, requiring network-wide interaction for each transfer. Note that apply- 
ing [CFGN96] to encrypt an information-theoretically secure OT protocol using 
[BGW88, CCD88] would also suffice, but it requires that faults be a strict mi- 
nority. 

Faulty Majority. While adaptively-secure encryption enables one to con- 
struct adaptively-secure multiparty protocols when there is a faulty minority 
[BH92, CFGN96], it does not directly suffice when there is a faulty majority. 
In separate work [B96b], we show that the tools described in this paper make 
possible the construction of a provably fair and secure protocol for multiparty 
function evaluation even in the presence of a majority of faults, using techniques 
of Beaver, Goldwasser and Levin [BG89, GL90]. 
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Abstract 

Pseudorandom binary sequences derived from the ML-sequences over 
the integer residue ring 2’/(2®) are proposed and studied in [1-10]. This 
paper is divided into two parts. The hrst part is on the nondegenerative 
ML-sequences. In this part the so-called quasi-period of a ML-sequence 
is introduced, and it is noted that a ML-sequence may degenerate in the 
sense that it has the quasi-period shorter than its period, and the problem 
of constructing the nondegenerative ML-sequences is solved by giving a 
criterion for nondegenerative primitive polynomials. In the second part, 
based on the constructions [1, 6, 7] of some classes of injective mappings 
which compress ML-sequences over rings to binary sequences, some new 
classes of the injective compression mappings are proposed and proved. 
Keywords: nondegenerate ML-sequence, quasi-period, injective compres- 
sion mapping 



1 Introduction 

The maximal length sequences of elements in the integral residue ring Z/(2®) 
(ML-sequences over Z/(2®)), whose definition will be recalled in the next section, 
and the binary sequences derived from ML-sequences are proposed and studied in 
[1-9]. The research shows that the binary sequences derived from ML-sequences 
may provide a good source of pseudorandom sequences and have a potential 
perspective in cryptographic applications. 

The integral residue ring Z/(2®) is the set of 2® integral residue classes {i 
(mod 2®)|0 < * < 2®}, the class i (mod 2®) will be written simply as i or any 
integer of the form i + fc2® with k being an integer. Any element h belonging 
to Z/(2®) has a binary decomposition as & = £ {0; 1}; where bi 

is called the ith level bit of h, and hg-i the highest level (or the most signifi- 
cant bit) bit of h. If at is an element in Z/(2®) with the binary decomposition 
at = then the sequence a = {at})LQ has a binary decomposition 
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a = Yll=o ’ where a,- = is a binary sequence called the ith level 

component of a. 

The highest level component sequence of a ML-sequence over Z j [2'^) is the 
most naturally derived binary sequences. More binary sequences can be derived 
from a ML-sequence over Z/(2®) by mixing the bits at its highest level with 
the bits at the lower levels. This can provide a convenient way of generating 
pseudorandom binary sequences on computers when e is chosen as the processor 
word length. It is shown that the derived binary sequences have guaranteed 
large periods [5] and guaranteed large lower bound of linear complexities [4]. 
It is also shown that the distributions of the elements 0 and 1 of the derived 
binary sequences are close to be balanced [8, 9, 10]. In addition to these, it is 
proved [1, 6, 7] that the mapping which compresses the ML-sequences over Z/(2®) 
to its highest level component sequences is injective, and that a large class of 
mappings which compress the ML-sequences over Z/(2®) to the binary sequences 
by mixing the highest level component sequences with the lower level ones are 
also injective. The injectiveness of these compression mappings is desirable when 
the ML-sequences are used as a source of pseudorandom sequences, since in this 
case, different initial states of a ML-sequence do lead to different pseudorandom 
sequences. 

In this paper we keep studying the ML-sequences and the compression map- 
pings, the contents are divided into two parts. In the hrst part, the work is 
started by noticing the phenomenon that a ML-sequence may degenerate in the 
sense that its quasi-period (which will be dehned in section 2) is shorter than its 
period, and that the deganerative ML-sequences are undesirable in applications. 
So we study the problem how to construct nondegenerative ML-sequences. As re- 
sults, it is shown (Theorem 3) that an ML-sequence degenerates if and only if the 
corresponding primitive polynomial (z.e., its minimal polynomial) degenerates in 
the same sense that its quasi-period (which will be dehned in section 2) is shorter 
than its period, thus the problem constructing nondegenerate ML-sequences is 
reduced to the problem constructing nondegenerate primitive polynomials, and 
the latter is solved (Theorem 4) by giving a criterion for nondegenerative prim- 
itive polynomials. In the second part, based on the constructions [1, 6, 7] of 
some classes of injective compression mappings, some new classes of injective 
compression mappings are proposed and proved. 



2 Constructions of Nondegenerative 
ML-Sequences 

Before coming to the main topic, we recall some basic concepts and basic facts 
which we need. Let a = {ajIjAg be a sequence of elements in obey- 

ing the linear recursion of the form = —^^-^CjO-i+j (mod 2®), Vi > 0, 
with (flo, fli, • • • , a„_i) specifying the initial condition, and with Cj constants in 
Z/(2®). As usual, the monic polynomial f[x) = called a char- 

acteristic polynomial of a, the characteristic polynomial with the least degree is 
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called the minimal polynomial of a. The polynomial f[x) has the binary decom- 
position f{x) = Ei=oVi(*)2*, where fi{x) = YaZo and Cj = 

is the binary decomposition of Cj . 

In this paper we always assume cq = 1 (mod 2). 

Defimtion: The period of a = denoted by per[a), is dehned to be 

the least positive integer t satisfying at+i = ai,'ii > 0. 

Definition: The period of f[x) over Z j denoted by per(/(*)) 2 e , is dehned 

to be the least positive integer t satisfying x* = I (mod 2®, /(*))• 

Both of per [f{x)) 2 e and per(a) are upper bounded by 2®“^(2" — 1) [5], and 
this upper bound is attainable. 

Definition: a is called a ML-sequence of degree n if its period attains this 
upper bound 2®“^ (2" — 1); and the polynomial f{x) is called primitive over 
Zjfilfi if per(/(*) 2 = attains this upper bound 2®“^(2" — 1). 

If fo{x) is primitive over Z/(2®), then there exists a polynomial r{x) G 
2’/(2®)[*] such that 

— 1 = /o(*)f’(*) (mod 2) (1) 

it is clear that r{x) (mod 2) is uniquely determined; and there exists h{x) over 
2’/(2®)[*] such that 



x^"-^ = 


1 + 


fo{x)r 


(x) + 2h{x) 


(x) + 2(h(x) - r(x) YUi fi(x)Z 




= 


1 + 


(fo(x) 


+ E-:i/,(*)2*> 




= 


1 + 


2{h{x) 


- rZ) YUl fiZ 


)2-i) 




= 


1 + 


2hf{x) 


(mod 2®,/(*)) 






where hf{x) 


= h{ 


x) — r{ 


*)E-:i/,(*)2*- 


hence 








hf{x) 


III 

1 


x) (mod2,/o(*)) 


(2) 


and 


















= l + 2hj(x) 


(mod 2^/(*)) 


(3) 


Taking fi{x) 


= 0 


in (3), 


we get 












= 1 -f 2h(x) 


(mod 2^ fo{x)) 


(4) 



It is also clear that both h{x) (mod 2, fo{x)) and hf (x) (mod 2, fo{x)) are uniquely 
determined. 

We know the following theorem. 

Theorem 1 [2, 5] 

1. Let per[f[x ))2 = T, then per[f[x)) 2 ^ = , where k is an integer with 

0 < k < e. 
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2. a IS a ML-sequence of degree n if and only if f{x) is primitive over Zf{2'^) 
and ao 7^ 0; and in this case, f{x) is the minimal polynomial of a. 

3. The following conditions are equivalent: 

(a) f[x) IS primitive over Z/(2®), i.e., per[f{x)) 2 e = — 1), 

(b) fo{x) IS primitive over Zf{2), and hf{x) 7 ^ 0 (mod 2, /o(*)) when 
e = 2 and hf{x){hf{x) + 1) 7 ^ 0 (mod 2, fo{x)) when e > 3, 

(c) fo(x) IS primitive over Z / [2) , and fi(x) 7 ^ r[x)~^h[x) (mod 2,fo[x)) 
when e = 2 and 

f ^ i r{x)-^h{x) (mod 2 ,/o(*)) 

^ r(x)~^ (h(x) -\- 1) (mod 2 ,/o(*)) 

when e > 3, 

Lemma 1 [2] Denote the formal derivative of fo{x) by /g(*), we have 

1. r(x)-'^ = xf[j{x) (mod 2 , /o(*)), 

2. Denote fo{x) = where S is a subset of {i|0 < * < n}, and de- 
note p{x) = {J2ijes,i<j ^ (mod 2 , fo{x)), then r{x)~'^h{x) = p{x) 

(mod 2 , fo{x)). 

Remark 1 Based on Lemma 1, The equivalent conditions for primitive poly- 
nomials given in Theorem 1 can be easily checked. 

Definition: The guasi-period of a = denoted by Qper{a), is dehned 

to be the least positive integer t satisfying at+i = cai,\H > 0 , with c G Z![2'^). 

Definition: The guasi-period of f{x) over Z/(2®), denoted by Qper{f{x)) 2 ^, 
is dehned to be the least positive integer t satisfying x* = c (mod 2 ®, /(*)) with 

ce z/( 2 ®). 

Definition: We say a ML-sequence a is nondegenerative if Qper (a) = per (a); 
and say a primitive polynomial f{x) is nondegenerative if 
Qper{f{x))z/( 2 -) = perifix))z/( 2 ‘)- 

The following theorem is on the relation between the quasi-periods and the 
periods of the polynomials over Z/( 2 ®). 

Theorem 2 Let per{f{x ))2 = T, and per[f[x)) 2 e = 2^T, then Qper[f[x)) 2 e = 
2 ™T for some non-negative integer m with m < k. 

Proof Let Qper{f{x)) 2 e^ = t, first we claim T\t, hence t = bT for some in- 
teger b. In fact, we have x* = c (mod 2®, /(*)) for some c G Z/(2®); since 
( 2 ®,/(*)) C {2,fo{x)), so X* = c (mod 2 , /o(*)), ITe claim c = 1 (mod 2 ), 
hence T\t; otherwise, we have c = 0 (mod 2), then 1 = x^^ = x*^^ = 0 

(mod 2,fo{x)), a contradiction. Now consider the following set (where Z is the 
integer ring): 



T = {t\x*' = c 



(mod 2®, /(*)), t e Z,ce Z/(2®)} 



( 5 ) 
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It IS clear that T is an ideal of Z containing , and bT = Qper[f[x)) 2 ^ is 
the positive generator of T , so bT must be a factor of2^T, thus 6 = 2™ for an 
integer m with m < k. □ 

It is easy to prove the following theorem. 

Theorem 3 If a is an ML-seguence of degree n, then Qper{a) = Qper{ f{x)) 2 e^, 
as a conseguence, a is nondegeneratwe degenerate if and only if f{x) is nonde- 
generative. 

Based on Theorem 1 and 2, the problem constructing nondegenerative ML- 
sequences is reduced to the problem constructing nondegenerative primitive 
polynomials. The latter can be solved by the following Theorem, which gives a 
criterion for nondegenerative primitive polynomials. 

Theorem 4 Let f{x) be primitive over Zf{2'^), and let h{x) (mod 2, fo{x)) be 
the polynomial defined as (4). We have 

1. When e = 2, then the following conditions are eguivalent: 

(a) f{x) IS nondegenerative. 

(b) hf(x)f^l (mod 2, /o(*)). 

(c) /i(*) 7 ^ r(*)“i(l + /i(*)) (mod 2, /o(*)). 

2. When e > 3 and n is odd, then f{x) is always nondegenerative. 

3. When e > 3 and n is even, then the following conditions are eguivalent: 

(a) f{x) IS nondegenerative. 

(b) hf(x)(l + hf(x)) 7 ^ 1 (mod 2, fo(x)). 

(c) 

r{x)-^{x'^^'''-^y^ + h{x)) (mod2,/o(*)) 

^ \ j,(j.)-i(l _l_ _|_ ^(^)) (mod 2, /o(*)) 

Proof Write T = 2" — 1. Taking sguares on the two sides of the eguation (3), 
we get 

j; 2 T = 2 -|- 2''^hf(x)(hf(x) + 1) (mod 2^, f(x)) 
continueing this way we get 

x^ '^ = I + 2^~^hf{x){hf{x) + 1) (mod 2®, /(*)), Vi < e 
In particular, we get 

x^ '^ = I + 2^~^hf{x){hf{x) + 1) (mod 2®, /(*)) 



( 6 ) 




320 



W. Qi, J. Yang, and J. Zhou 



For e = 2, we have 

Qper{f{x)) 2 ^ <per{f{x)) 2 - 
i — y Qper{f{x ))22 = T (by Theorem 2) 

< — y c = = 1 + 2hf[x) (mod 2^, /(*)) (by (3)) 

i — 2hf{x) = 2b (mod 2^, /(*)),& = Oorl (mod 2) 

< — 7> hf{x) = 1 (mod 2, fo{x)) (by the assumption and Theorem 1) 
< — ^ fi{x) = r{x)-'^{lFh{x)) {uioA2Jo{x)) (hy (2)) 



For e > 3, we get 

Qper{f{x)) 2 - <per{f{x)) 2 ^ 
i — ^ Qper(f(x))2^2^~‘^T 

i — c = x^ '^ = 1 + 2^~^hf{x){hf{x) + 1) (mod 2®, /(*))(&j/(6)) 
< — 7> 2^~^hf{x){hf{x) + l) = 2^~^b (mod 2®, /(*)),& = Oorl 

< — 7> hf{x){hf{x) + l) = l (mod2,/o(*)) 

(by the assumption and Theorem 1). 



If we identify [Z / [2))[x]/ {fo{x)) to the finite field GF{2^), then it is clear 
that the fact ”hf{x){hf{x) + 1) = 1 (mod 2,fo{x))” holds true if and only if 
hf{x) IS a root of the irreducible polynomial *^ + * + 1 over Z/ (2) = GF{2), i.e., 
one of the two elements of orders. It is known that there exists such hf{x) if and 
only if n is even. Hence the item 2. is true. Now for the item 3., we know that 
the two roots of x"^ + X + 1 are x^^^ (mod2,/o(*)) andl + x^^^ (mod2,/o(*)) 
(the two elements of order 3), so ”hf{x){hf{x) + 1) = 1 (mod 2,fo{x))” holds 
true if and only if h J [x) = x^ I ^ (mod2,/o(*)) (mod 2, /o(*)), which 

IS further equivalent to the conditions shown in {3c){by (2)), □ 

Remark 2 Based on Lemma 1, The equivalent conditions for nonprimitive 
primitive polynomials given in Theorem 4 can be easily checked. 

In studying the injective compression mappings, the so-called strongly prim- 
itive polynomial is introduced [1], it is dehned to be the primitive polynomial 
with hf{x) 1 (mod 2, fo{x)) when e = 2, and to be the primitive polynomial 
with hf{x){hf{x) -|- 1) 1 (mod 2, fo{x)) when e > 3. Now from Theorem 3 we 

get imeadiately 

Corollary 1 f{x) is strongly primitive if and only if f{x) is nondegenerative 
primitive, i.e., Qper{f{x)) 2 e^ = pef’(/(®)) 2 ® • 



3 Compressing Mappings on ML-Sequences 

Let f{x) be a primitive polynomial of degree n over Z/(2®), We denote G(/(*)) 2 ® 
the set of all sequences over Z/(2®) generated by f{x), S'(/(*))2= = {a G G{ f{x)) 

I og 7 ^ 0} the set of all ML-sequences over Z/(2®) generated by f{x) and GF{2)°° 
the set of all sequences over GF{2). For a G G(/(*)) 2 =, we denote a,- the ith 
level component of a. Set T = 2" — 1, by (3), we have 

x"^ ^ — 1 = 2^hk{x) (mod f{x), 2®) 
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where k = 1,2,... , e — 1, deg hk{x) < n and hk{x) ^ 0 (mod 2). In fact hi{x) = 
hf{x) {mod2), h 2 {x) = . . . = he-i{x) = hf{x){hf{x) + 1) (mod 2, /(*)). 

Let a = and /3 = be two sequences over Z/(2®), define 

a + l3 = {ai + hi}flg, aj3 = {aihi}flg and xa = 

£'(*) = E"=o over Z/(2®), then g{x)a = 5(*){ai}“o = {E"=o Cjaj+i}“o- 

[1, 6, 7] propose the following injectiveness theorem. 

Theorem 5 [1, 6, 7] Let f{x) be a primitive polynomial over Z/(2®), a,/3 G 
G{f{x)) 2 e^,then a = j3 if and only if ag-i = Pe-i- If f{x) is strongly primi- 
tive over Z/{2^), (p{xo, Xi, . . . , Xg-l) = *e-l + CXe -2 + ?y(*o, * 1 , . . . , Xe-f) ts a 
Boolean function of e variables, where rj{xo, xi, . . . , Xg-s) is a Boolean function 
of e — 2 variables, c = 0 or 1, then for a,[3 ^ G(/(*)) 2 =, a = (I if and only if 
(p{ao,ai,... ,ae-i) = (p{/3o, /3i, . . . ,/3e-i) overGF{2). 

By theorem 5, the compression mapping *e-i or *e-i+c*e- 2 +?y(®o, • • • , Xg-s) 
on G(/(*)) 2 = is injective, that is, the binary sequence Oe-i or Oe-i + cag -2 + 
rj{ao, «i, ..., Oe-s) can uniquely determine its original sequence a, in other words, 
Oe-i or Oe-i + cOe-2 + ??(oo, «!,... , Oe-s) Contains all information of a. 

We study the injectiveness of general compression mappings in this section. 
Let <p(xo, ..., Xg-i) be a Boolean function with e variables, if the mapping 



r G{f{x)) 2 ^^GF{ 2 r 

( a = Q;o + Ol2+... + cre-l2® ^ ... ,ceg-i) 

is injective, then <p(xo, ..., *e-i) contains *e-i clearly, i.e., <p(xo, . . . , *e- 2 , 0) 
<,£>(*0, • • • , Xg-2, 1). 

Definition: Let B = {x'fxf . . .x'fzl — = 0 or 1, = 0, 1, . . . , e — 1} be 

the set of all single terms of Boolean functions of e variables, dehne the order in 
B as follows: 



?0 *1 *e-l -v. ?0 ?1 

/V-. O gy., X /V-, XJ gy^O X 

iLq eL-| ...eLp -| .....^ n 1 



. . X 



F-i 
e— 1 



provided that 



*0 + *1 • 2 + . . . + ie-l -2® ^ > jo + il • 2 + . . . + je-l • 2® ^ 



Lemma 2 [10] Let f{x) be a .strongly primitive polynomial of degree n over 
Zj(f2'^), e > 3, ip{xo, xi, . . . , Xg-i) is a Boolean function of e variables and 
p(xo, xi, . . . , Xg-i) 0 and 1. Let be the term of the maximal 

order in (p(xo,xi, . . . ,*e-i) and the product xqXi of xq and xi is not a divisor 
of , where \ <t < e — Q < ko < k\ < . . . < kt-i < e — 1. Then 

for a,l3 e S{f{x)) 2 -, p{ao, ... , Oe-i) = <^(/?o, • • • ,/?e-i) implies ao = /do . 

Lemma 3 [10] Let f{x) be a primitive polynomial of degree n over Zj(f2'^), 
e > 3, a, /3 G G(/(*)) 2 = and ag = (do, then, for 3 < k < e — I, over GF{2) 

(x^ ^ — l)(o!k + /dk) = (ofe-i + /dk-i)h2(x)ao + h2(x)(ai + /3i) 



and 



(x’^ - l)(a 2 + (d 2 ) = («i + (di)hi(x)ao + hi(x)(ai + (di) 
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Lemma 4 [10] Let f{x) be a primitive polynomial of degree n over Z/(2®), 
e > 3, a,/3 G G(/(*)) 2 = and ag = /?o 7^ 0, If [a\ + l3i)hi{x)aoh2{x)ao = 
hi{x){ai + /3i)/i2(*)ag over GF{2), then = (Ii 

Theorem 6 Let f{x) be a strongly primitive polynomial of degree n over Zf{2'^), 
e > 3, p(xo, . . . , Xg-i) = Xg-i + g(xo, ■ ■ ■ , * 0 - 2 ) o Boolean function of e 
variables, for a, (I G S'(/(*)) 2 =, if 

{ip{ao, , Oe-i) + L’iPo, . . . , [)e-i))h 2 {x)ao = 0 (7) 



then a = [3. 

Proof First we .show og = /3g, Set T = 2" — 1, x^ ^ — 1 acts on (7), then 
[h 2 {x)ao + h2{x)l3o)h2{x)ao = 0 since (x"^ ^ — l)ae-i = h 2 {x)ao, (x"^ ^ — 

l)l3e-i = h2{x)j3o and the periods of g{ao, • • • , ae- 2 ) and ?y(/3g, . . . , Pe-'i) divide 
2^-^T. So /i 2 (*)(ag + /3g)/i2(*)ao = 0 which implies og + /3g = 0 .since og + /3g 
0 or an ML-seguence. Thus og = /3g, 

7/e = 3, then (^(og, oi, og) + <7’(/?o, /?i, /? 2 ) = «2 + /?2 + ??(ao, ai) + ?y(/?o, /?i). 
T/je period of a\ + /3i divides T since og = /3g, S'© i/je period of g[ao, af) + 
g{j3o,l3i) divides T . Thus the period of {g{ao, 0 !i) + gifdo, l3i))h2{x)ao divides T . 
x"^ — \ acts on 



(o2 + /?2 + ?y(«0, «i) + ?y(/?0, /?i))/j2(*)ao = 0 (8) 

then 0 = [x'^ — l)((a 2 + /32)/*2(®)«o) = ~ 1)(«2 + /32)/*2(®)«o- Tine? by lemma 

3, we have 

[ai + /3i)/ii(*)ag/i2(*)ag = hi{x){ai + /3i)/i2(*)ag 

Thus ai = Pi by lemma ]. So (og + /32)/*2(®)«o = 0 by (8). «2 + P 2 0 or an 
ML-seguence since a\ = /3i and ag = Po- Therefore og = P 2 because the product 
of two ML-seguences over GF{2) is not 0, 

If e > 3, set 

ge- 2 {xo, . . . ,Xe- 2 ) = ??(*0 , • • • , * 6 - 2 ) 

— ^e — 2 ^e — 3(^07 • • • 7 ^e — 3 ) F Pe — si^O^ • • • 7 ^e — 3 ) 

and in general, we set 

• • • 7 — ^khk — li^O^ • • • 7 ^k — l) F Pk — l{^ 0 ^ • • • 7 ^k — l) 

k = e — 2, e — 3, . . . ,2. x"^ ^ — 1 acis on (7), we have 

(*2° _|_ ag_2?ye_3(ag, . . . , 

+ Pe.2Ve-3{Po, • • • , /3e-3))/j2 (*)«0 = 0 

^-l)(ae_l+/3e_l+?ye_3(ag, . . . , ae_3) + ??e_3 (/3g , . . . , /3e_3))/l2 (*)ag = 0 
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By lemma 3, 



((ae-2 + l3e-2)h2{x)ao + h 2 {x){ai + (3i) 

+ rje-aicto, • • • , tte-s) + rje-aiPo, • • • , Pe-3))h2{x)ao = 0 

that IS 

((ae-2 + /?e-2 + rje-sictO, • • • , CTe-s) + Tje-siPo, • • • , /3e-3))/j2 (*)«0 
= /i2(*)(ai + /3i)/i2(*)ao 

//e > 4, ^ — 1 acts on (9) continuously, and so on, then we get 

{{ctk + (dk + Vk-pao, . . . ,ak-i) + r]k-i{ldo, ■ ■ ■ , Pk-i))h 2 {x)ao 

= /i2(*)(ai + /3i)/i2(*)ao 



where fc = e — 2,e — 3,...,2, Finally, — 1 acts on 

((tt2 + P 2 + mio^o, «i) + miPo, fdi))h2{x)ao = h2{x){ai + /3i)/i2(*)ao 

and we get [a\ + /3i)/ii(*)ao/i2(*)ao = hi{x){ai + /3i)/i2(*)ao. S'© ai = /3i by 
lemma 4 and Uk = Pk by ( 10), k = 2,3, . . . .e — 2. Lastly, ttg-i = /3e-i by (7). 
Therefore a = /3, □ 



Corollary 2 Let f{x) be a strongly primitive polynomial of degree n over Z / {2'^) , 
e > 3, p(xo, ■ ■ ■ , Xg-i) = Xg-i + g(xo, ■ ■ ■ , * 6 - 2 ) o Boolean function of e 
variables, then fora,/3 G S'(/(*)) 2 =,a = /3 if and only if ip{ao, ■ ■ ■ ,ae~i) = 
(f{l3o, ■ ■ ■ , Pe-l) 

Theorem 7 Let f{x) be a strongly primitive polynomial of degree n overZj(f2p, 
e > 3, p(xo, xi, . . . , Xg-i) IS a Boolean function of e variables containing Xg-i, 
and IS the term of the maximal order in <p(xo, xi, . . . , Xg-i). If 

XkgXki ■ ■ -Xkt -1 riot divided by xq and xi, i.e. kg > 2, then the compression 

mapping 



I S(f(x)) 2 ^ ^GF(2r 

( a = ao + ai2+... + ae_i2® ^ 1 — 7><,c’(ao,...,ae_i) 

IS injective, i.e., for a, [3 G 5'(/(*))2® , then a = (I if and only ifip{ao, ■ ■ ■ , oig-i) = 
(f{l3o, ■ ■ ■ , Pe-l)- 

Proof If t = 1, the result follows immediately from corollary 2. Assume t > I 
in the following. 

Let a,fl e S{f{x)) 2 ^ and (p{ao, ■ ■ ■ , Oe-i) = p{l3o, • • • , Pe-i), then ao = Po 
by lemma 2. 

p(xo, xi, . . . , Xg-i) contains Xg-i, that is, kt-i = e — I, so let 

Cp{xo, ■ ■ ■ , *e-l) = *e-l?y(*0, • • • , * 6 - 2 ) + A(*o, • • • , * 6 - 2 ) (H) 
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where rj{xo,... ,* 6 - 2 ) 7 ^ O.The term of maximal order in rj{xo,... ,* 6 - 2 ) 
XkgXk^ ■ ■ ■ Xkt_^. Thus we set rik^_Jxo, ■ ■ ■ , Xkt_J = • • • , * 6 - 2 ) arid 

r]ki-2{^0 ! • • • ) Xkf_2) — (®0 ) • • • ) Xkf_f) ~\~ — l(®0) • • • ) Xkf_2—l) 

In general, we set 

r]k s {xq T T Xk — Xk g gk s — 1 {xq ^ hk s — li,XQ , . . . , Xk ^ — 

( 12 ) 

where s = t — 2 ,t— and 



gko{xO: • • • : — Xko T gko — l{xo : • • • : Xk^—l) 

Set gi(x) = ^ ~ 1)) where k takes over ki, ki^i, . . . ,kt-i and i = 

k 

1 , 2 , . . . ,t - 1 . gi{x) acts on (p{ao, ■ ■ ■ , Ue-i) = <^(/3o, • • • , Pe-i), then, by (11), 
(12) and (13), we get 

(«feo + ho + A*feo-i(“o, • • • , «feo-i) + kko-i(hj • • • ) ho-i))h2(x)o;o = 0 

So a = j3 (mod 2*^°"*"^) by theorem 6. 

(i) Ift = 2, then 

CTe—ldkohoj ■ ■ ■ ) ®feo) S~ h—lVko {h ; • • • ! ho) 

+ A(ao, • • • , «e- 2 ) + hh; • • • ) h- 2 ) = 0 

that IS 



he-l + h-l)Vko («0, • • • , «feo) S~ h^O, ■ ■ ■ , Cte-2) + hh j ■ ■ ■ j h-2) — 0 

(14) 



By lemma 3 

[x'^‘ -\){ae-i + h-i) = [ere-2 + h-2)h2{x)ao + h2[x){ai + Pi) 

= {Ue -2 + Pe- 2 )h 2 [x)ao 

x"^ ^ — 1 acts on (1)) if e — 3 > ko, then by the period of gkoho, ■■ ■ ,«feo) 

dividing 2®“^T, 



(Oe-2 + Pe- 2 )h 2 {x)aogkoho, ■ ■ ■ , «feo) 

+ ('^e-3(«0, • • • , «e-3) + h-siPo , • • • , /?e-3) ) ^*2 (®) = 0 

that IS 

ihe -2 + Pe- 2 )gkoho, ■ ■ ■ , «feo) 

+ Ae- 3 (ao, • • • , «e- 3 ) + h-siPo , • • • , /?e- 3 ) ) ^*2 (®) = 0 

where Xg-sixo, ■ ■ ■ , Xg-s) is determined by 

^e — 2(^07 • • • 7 Xg — 2) — ^(^Oi • • • 7 Xg — 2) 

— ^e — 2 ^e — 3(^07 • • • 7 Xg — n) rXe — sho ^ • • • 7 ^e — 2) 



( 15 ) 
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x’’^ — 1 acts on (15) continuously */e — 4 > ko. In general we have 

{{ctk + /3fe)%o(«o, • • • , ttfeo) + Afe_i(ao, • • • , ctk-i) + Xk-iiPo, ■ ■ ■ , Pk-i))h2{x) = 0 

(16) 

where = e - 2, . . . , fco + 2, fco + 1- Afe„(ao, • • • , «&□) = Afe„(/3o, • • • , ho) smce 
a = (I (mod 2*^°+^), 

By the case k = kg + 1 tn (16), we have 

(«feo + l + /5feo + l)Afeo (“0, • • • , «feo)^2(®)«0 = 0 (17) 

Smce [uko+i + ho+i) ** 0 ML-sequence over GF{2) and kg > 2, if 

^ — 1 acts on (17), where k = ko, then 

[(*^ ^ - l)??fe„(ao, • • • , afeo)](«feo+i + /5feo+i)^2(*)ao = 0 (18) 

By gkoho, ■■■ , ctko) = + /Ufeo-i(«o, • • • , ctko-i), (18) implies 

(«feo + l + /5feo + l)^2(®)«0 = 0 

50 CTfeo+i = ho+i- ^> 26 ? by (16), we obtain Uk = ht ^ + 1, • • • , e ~ 2, 

Finally, Oe-i = /?e-i 

Czzy Ift = 3,g2{x) acts on (p{ao, ■ ■ ■ ,ae-i) = pih, ■ ■ ■ ,h-i), then 
i^ki hko (cTo,*** T ^ko) F (Ik I hko iflo 7 • • • 7 (Iko ))h2{x)o^o — 0 

that IS 

(ttfei + hPVkoho, ■■■ , ctko)h2{x)ao = 0 (19) 

ki-l 

As in case (i), r-k(x) = ]))[ (*^ ^ — 1) acts on (19), then we obtain 

i=k 

[ctk + / 3 fe)%o(« 0 , • • • , Ctko)h 2 {x)ao = 0 ( 20 ) 

k = ki-l,... ,koF2,koFl. So [uko+i + /3feo+i)%o («o, • • • , afeo)^ 2 (*)ao = 0, 
By the process of proof in (i), we have ctko+i = (Iko+i- Thus Uj = /3j,i = 
ko F 2, . . . ,ki, by (19) and (20). 

e -2 

Finally, as r-k(x) acts on (19), Sk(x) = ]))[ (x^ ^ — 1) acts on, 

i=k 

(tte-i + /3e-i)%i («o, • • • , «fei) + A(ao, • • • , CKe- 2 ) F X(j3o , . . . , h- 2 ) = 0 
Similarly, we get aj = l3j,j = ki + l,...,e — 1. Therefore a = [3. □ 
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Abstract. The security of the alleged RC4 stream cipher and some vari- 
ants is investigated. Cryptanalytic algorithms are developed for a known 
plaintext attack where only a small segment of plaintext is assumed to 
be known. The analysis methods reveal intrinsic properties of alleged 
RC4 which are independent of the key scheduling and the key size. The 
complexity of one of the attacks is estimated to be less than the time of 
searching through the square root of all possible initial states. However, 
this still poses no threat to alleged RC4 in practical applications. 



Keywords. Cryptanalysis. Stream Cipher. RC4. 

1 Introduction 

Many key stream generators proposed in the literature consist of a number of 
possibly clocked linear feedback shift registers (LFSRs) that are combined by a 
function with or without memory. LFSR-based generators are often hardware 
oriented and for a variety of them it is known how to achieve desired cryptogra- 
phic properties P]. For software implementation, a few key stream generators 
have been designed which are not based on shift registers. One of these genera- 
tors, known as (alleged) RC4, has been publicized and described in p. RC4 is 
widely used in commercial products and standards (one example is the Secure 
Sockets Layer standard SSL 3.0). 

RC4 takes an interesting design approach which is quite different from that 
of LFSR-based stream ciphers. This implies that many of the analysis methods 
known for such ciphers cannot be applied. The internal state of RC4 consists of 
a table of 2" n-bit words and two n-bit pointers, where n is a parameter (for 
the nominal version, n = 8). The table varies slowly in time under the control of 
itself. As discussed by Golic in P, for such a generator a few general statistical 
properties of the key stream sequence can be measured by standard statistical 
tests, but these criteria are hard to establish theoretically. A noticeable exception 
are the results in [ 2 |, which show a (slight) statistical deviation of the output 
stream of RC4. These results are mainly of theoretical interest, as a large amount 
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of output stream is necessary before this deviation can be detected. It remains 
an open problem whether these results can be used to cryptanalyze RC4. 

The aim of this paper is to derive some cryptanalytic algorithms that find 
the correct initial state of the RC4 stream cipher using only a small segment of 
output stream, and to give precise estimates for the complexity of the attacks 
where possible. The cryptanalytic algorithms in this paper exploit the combina- 
torial nature of RC4 and allow to find the initial table, i.e., the state at time 
t = 0. Knowledge of this table enables to compute the complete output sequence 
without knowing the secret key. 

If the first portion of about 2” output words are known, our basic algorithm 
allows to find the initial table in a reduced search with complexity much lower 
than exhaustive search over all possible initial states. A careful analysis, which 
is confirmed by numerous experiments for different values of the word length n, 
shows that the complexity of the best attack is lower than the square root of 
all possible initial states. Our algorithms become infeasible for n > 5 and thus 
pose no threat to RC4 with n = 8 as used in practice. However, our attacks 
give new insight into the design principles of RC4 and the estimates of the 
complexity should give some realistic parameters for the security of RC4. Our 
results are intrinsic to the design principles of RC4 and are independent of the 
key scheduling and the size of the key. 

This paper is organized as follows. In Sect. 0we give a description of RC4. In 
Sect.0 we discuss an attack on a simplified version of RC4. Section 0| describes 
attacks on the full RC4, and Sect.0presents a possible optimization. We conclude 
in Sect. El 

2 Description of RC4 

We follow the description of RC4 as given in m RC4 is a family of algorithms 
indexed by a positive integer n (in practice n = 8). The internal state of RC4 
at time t consists of a permutation table St = ^ of 2" n-bit words 

and of two pointer n-bit words it and jt- Thus the internal memory size is 
M = log(2"!) -I- 2n, where log denotes logarithm to the base 2. The pointers iq 
and jo are initialized to zero. Let Zt denote the output n-bit word of RC4 at 
time t. Then the next-state and output functions of RC4 for every t > 1 are 
defined by 



where all additions are modulo 2". In one update, all the words in the table 
except the swapped ones remain the same (and swapping is only effective if 
^ jt)- The output n-bit word sequence is Z = {Zt)'^i. Every word Zt is 
XORed with a piece of plaintext of length n bits to produce ciphertext, or 



jt = jt-i + St-i[it] 

St[it] = St-i[jt], St[jt] = S'*-!!**] 

Zt = S’* [S'* [ft] -l- <S't[jt]] 



it = it-i + 1 



( 1 ) 

(2) 

( 3 ) 

( 4 ) 
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XORed with ciphertext to produce plaintext. The initial table Sq is derived 
from the secret key. The details of this derivation are not important for our 
attacks. 



The swap operation in (|3I) makes the recovery of the table S very difficult. In 
this section we develop an attack on simplified versions of RC4, where the swap 
operation occurs less often. 

3.1 No Swap Operation 

RC4 without the swap operation O is useless as a key stream generator. The 
following theorem illustrates this. 

Theorem 1. If the swap operation in the state update is omitted, the key stream 
of RC4 becomes cyclic with a period 

Proof: Equation 0) gives: ^t+ 2 " = 5'[S'[f(+2"] + S[jt+ 2 ”-\\ ■ Because of the mo- 
dular addition it+ 2 " = H- Since S is constant now, 10 can be applied repeatedly 
on jt+ 2 ". We get: Zt+ 2 ^ = -k S[jt -k -SM]] ■ Because S' is a permu- 

tation, we can evaluate the summation, and Zt+ 2 ^ — S[S[ij] + S[jt + 2" ^]] . In 
a completely analogous way, we can derive = S[S[tt] + S[jt]] = Zt. • 

The algorithm to recover S works as follows. Initially, we guess a small subset 
of the entries of S. We derive the other entries from the observed key stream 
and 0. If we get a contradiction at some point, we know that we guessed one 
of the initial values wrongly. 

There are four possibly unknown variables in 0: jt, S[ft], S[jt] and S~^[Zt]. 
If all four variables are known and a contradiction arises, we guessed one of the 
initial values wrongly. If three variables are known, we can determine the fourth. 

— If S~^[Zt],jt and are known, we can determine S[jt] as follows: 



{S ^[Zt] is known if the value Zt is already filled in somewhere in S.) 
— If S[jt] and thus also jt are known, then 



3 Attacking Simplified RC4 



= S-^[Zt] - . 



(5) 



S[S[it] + 5[jt]] = Zt . 

If ^[jt] and S~"^[Zt] are known, then 

jt = S-^[S-^[Zt]-S[it]]. 

If S~^[Zt],jt and S'[jt] are known, then 

S[it] = S-\Zt]-S[jt]. 



( 6 ) 



(7) 



( 8 ) 
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The initial value of j is known. If we guess the values of v entries at the 
beginning of S, we know the value of the j-pointer for the first v steps. In 
these steps we use 0 and m to determine new values of S. If we have not 
determined S'[u + 1] after v steps, we “lose” knowledge of the j-pointer. We 
discard the following Zj-values until we can use (0 to recover the value of j. 
Once j is recovered we can use © and @ again, but we can also work backwards 
and use (© to determine more entries of S. If v is too small, we will lose the 
value of j too fast and we will not be able to recover the table in this way. 

3.2 Reduced Swap Frequency 

In this version of RC4 we swap two entries after every s iterations. We start by 
applying the same algorithm as above, until the first swap occurs. If we do not 
know the value of j at this moment, we do not know with what value St[it] gets 
swapped. At this point we can only remove St[it] from our (incomplete) table. If 
the unknown j actually points at a table entry that we have already filled in, this 
entry will change in the RC4 table, but not in our partial solution. In this way, 
errors are introduced in our St table. After a while we will observe contradictions; 
however, it is not possible to determine which element is responsible for the 
contradiction. A naive solution is to remove the three entries involved when 
we encounter a contradiction. However, in this way we will destroy more good 
values than we are able to produce, and we will end up with an empty table. For a 
good solution strategy it is important that the number of removed correct values 
is minimal. We have developed a number of heuristics to solve this problem; 
the details are omitted because of space restrictions. The resulting algorithm 
converges very fast. 

If we increase the swap frequency 1/s towards 1, the algorithm needs a larger 
number of correctly guessed table entries before it can deduce the remainder of 
the table. Figure [D shows the experimentally determined success probability as 
a function of the number of correctly guessed entries at the start, for swapping 
frequencies increasing from 1/128 to 1/2 (actual RC4 has swapping frequency 
1). For a success ratio of 50% we need 40 correctly guessed entries at the start 
if the swapping frequency equals 1/128. If the swapping frequency increases to 
1/2, we need about 240 correct entries. For a success ratio of 5%, we need 30, 
respectively 210 values. The complexity of this attack is proportional to the 
average number of trials required to guess the initial values correctly; e.g., there 
are approximately 2^^^ possible ways to assign 40 8-bit values of the permutation 
table. 

4 Attacking the Full RC4 

This section presents cryptanalytic attacks on RC4 which allow to find the initial 
table S = So, without guessing values initially. Instead, values are only guessed 
when they are needed. First the attacks are described and their efficiency is 
analyzed. Then some special cases are discussed and experimental results are 
presented. 
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Fig. 1. Success ratio for various simplified versions of RC4 for which the swap frequency 
is reduced to 1/s. 



4.1 Description 

The idea of the algorithm may informally be described as follows. For times 
t = 1, 2, . . . , m, if or have not already been assigned values in a 

previous time, choose a value v for 0 < v < 2", compute jt and then 

choose St-i[jt\- This is in order to be able to follow up the next update of the 
RC4 algorithm, i.e., in order that steps o to (0 are defined. We proceed so 
that at each time t an output word Zt is produced with the property that Zt 
has the correct value Zt = Zt- This imposes several restrictions on the possible 
choices for St-i[it], St-i[jtY- 

i) As S' is a permutation table, every new value St_i[it] or St_i[jt] to be assig- 
ned has to be different from a value already chosen as a word in the table. 

The next two conditions represent two alternatives and are specific consequences 
of the design of RC4. 

ii) If the known output word Zt differs from all words which have previously 
been fixed in the S table, the sum = St[it] + St[jt] occurring in step 0| has 
to differ from all index positions which have already values assigned. If this 
is satisfied, set S'* [is] = Zt- Otherwise we have a contradiction in our search. 
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iii) If Zt is equal to a word previously assigned in the S table then Zg = St[it] + 
St[jt] equals the index position of this assigned value. This either uniquely 
determines St[jt] or again leads to a contradiction. 

Although conditions i), ii) and iii) follow directly from the description of RC4, 
it is not obvious how to implement an efficient algorithm that exploits these re- 
strictions and how to obtain practically meaningful estimates for the complexity 
of such an algorithm. 

We implemented this attack by means of a recursive function guess{t) . In the 
most elementary version, at each parameter t one update following steps Q to 0 
is effected. Thereby, three entries in the S table are affected or suitably chosen, 
one entry determined by it, one by jt and one by Zt, so that the update at time 
t can be carried out and so that conditions i) to iii) are satisfied. 

For a given output word sequence of length m the programs start by calling 
guess(l). In the recursive calls for increasing t most branches end up by contra- 
dictions. If one branch has reached depth t = size+ 1 in the recursive algorithm, 
we compute backwards the (correct) actual state to state t = 0, in order to get 
the initial table Sq- Experiments have shown that for the basic version of the 
attack as sketched, m = size = 2" known output words are sufficient to uniquely 
determine the correct state. Note that for RC4 with n-bit words, there are a 
total of 2"! different initial states. Thus, the required number of output words m 
can be estimated as the smallest integer such that 2"™ >2”!. Clearly, 2" upper 
bounds m for any value of n. (For n = S, m zz 211.) 

We investigated several variants of the attack. In order to accelerate the 
attack in simulations, we pre-assigned the first few words in the S table at the 
beginning of the program execution. This has motivated a modification of the 
function guess(t) which is based on the following observation: if St-i[it\ has 
a value assigned one can compute jt according to step El Thus one can swap 
St-i[it] and St-i[jt] even if St-i[jt] was not assigned a value before swapping. 
After swapping, St[jt] is assigned but St[it] is not. 

As a consequence, suppose St-i[it] has a value assigned but St-i[jt] has not. 
Assume now that the value Zt is different from all previously assigned values 
in the S table. Then instead of guessing the value of St-i[jt] one can check 
whether [z^+i] has already been assigned a value and whether the value of 
Zt+i equals a value previously assigned in the S table. Under this condition it 
may pay off not to check all possible values for St-i[jt] because a check can 
be done at time f -I- 1 without guessing any additional values. This variant has 
in experiments shown to be particularly attractive for parameter values n = 7 
and 8. Moreover note that for this variant the known output segment has to be 
slightly longer than for the basic attack. 

There are even further refinements of the variant which we will not describe 
here. In another direction, computer experiments have lead to the following ob- 
servation: suppose two initial tables Sq and Sq are given with the property that 
S'o[z] = .5o[z] for z = 1, 2, . . . , /c. Then for k sufficiently large, suitable segments 
of the corresponding output sequences Z and Z of the RC4 algorithm are cor- 
related. This correlation is illustrated in Fig. [2. We have built this statistical 
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property into our attack in order to make a preliminary test at a suitable time 
t whether a choice of values 5'o[*], i = 1,2, ... — 1, is correct. It turned out 

that this in fact can lead to an acceleration of the attack but at the cost of a 
decreased success probability, as often a correct choice is excluded erroneously. 




0 50 100 150 200 250 300 

Number of correct table entries. 



Fig. 2. Correlation between key streams as a fnnction of the number of equal table 
entries. Three measures for the correlation are shown: (1) the number of equal outputs 
until the hrst difference occurs, (2) the number of equal outputs in the first 250 values 
and (3) the number of equal outputs in the hrst 250 values, added with a weighting 
function that emphasizes the hrst outputs of the row. It is clear that the last two 
functions are better measures. 



4.2 Efficiency of the Attack 

The complexity of the attacks is measured in terms of the total number of 
assignments made for all entries in the initial table. It is necessary at this point 
to explain some further details of our search algorithm. The algorithm uses 
recursive function calls with the time variable t as parameter. Assume we are at 
some given time t, and let at denote the number of entries in the initial table, 
which were assigned a value at time t. 

1. It is checked whether has been assigned a value: 

a) if it has, proceed to step|21 
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b) if it has not, then assign, one after one, the 2" — at remaining values to 
St-i[it], increment at and go to|3 

2. It is checked whether Zt has a value which has been used in an assignment: 

a) if it has, we can calculate the expected value of St[jt] from (0 of the 
RC4 description. If this does not lead to a contradiction, proceed to time 
t+1 and go to step E 

b) if it has not, go to0 

3. It is checked whether St-i[jt] has already been assigned a value: 

a) if it has not, then assign, one after one, the 2" — at remaining values 
to St-i[jt] and update a*. Subsequently, it can be checked whether the 
given values of it, jt and Zt lead to a contradiction. If they do not, 
proceed to time t + 1 and go to step Ql 

It follows that the search algorithm can be split into 8 cases, depending on 
whether it and jt have been assigned a value or not and whether Zt has a value 
already assigned to an entry in the table. It is possible to simulate the behavior of 
the search algorithm by assigning probabilities to the different cases in the above 
informal description. As an example, the case “St-i [it] has been assigned a value” 
has an average probability of at/2" of being true and an average probability of 
1 — Ot/2" of being wrong. We define a function complex^-), which takes as input 
a, the number of assigned values in the table. The function has the following 
form: 

3 

complex{a) — pi ■ no-assignmentSj • complex{a + i) . (9) 

i=0 

Our approximation reduces the 8 above cases to 4 cases, each one with a recursive 
call of the function complex. The four recursive calls are explained as follows: pi 
denotes the probability of the particular case, no-assignments^ denotes the total 
number of assignments we do for St-i[it] and St-i[jt\- 

By definition, complex(255) = 1 and complex(a) = 0 for all a > 256. Given 
the values for complex{a + H) , complex{a + 2) , complex{a+l) and expressions for 
Pi and no-assignments j, (0) can be solved for complex(a) . In this way complex{0) 
can be determined. 



Solving the Recurrence: Instead of determining pi and no-assignmentSj 

directly, we will rewrite 0 . We define three new functions Ci(-),C 2 (-) and C 3 (-), 
representing the complexity of each individual step in our algorithm. We start 
with the equation for ci(a). The first test of step 1 will succeed on average a/2" 
times. If it succeeds, we go to step 2 without assigning a value. If it does not 
succeed (probability 1 — a/2"), we will do for every possible value of 5't_i[b] one 
assignment and call step 2. Thus we have: 

ci(a) = ^c,{a) + (1 - |^)(2" - a)c 2 (a + 1) . 



( 10 ) 
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In a similar way, we can derive the expressions for 02(0) and 03(0): 

C2{a) = ((1 - + ci(a + 1)) + ^ci(a)) + (1 - |^)c3(a) (11) 

C3(a) = (1 - 1^) (/(a) + + 1) + (2" - a)e(a)ci(a + 2)) , (12) 

where e(a) = (1— (a+l)/2")(l — 1/(2’^ — a)) and /(a) = (2” — a)(l + e(a)) + a/2". 
Again we start with the known values Ci(2") and work downwards. The maximal 
number of assignments in our algorithm is given by complex(0) = ci(0). The 
results of the calculation are presented in Table El where they are compared 
with some experimental results. 

4.3 Special Streams 

There are streams of output words for which our attack has an increased per- 
formance. Consider the above description of our algorithm. In step 2 of the 
algorithm we check whether Zt has a value which has previously been used in an 
assignment. If this is the case we can calculate an expected value for the entry 
St [jt] ■ This either leads to a contradiction or it gives an assignment of an additio- 
nal entry in the (unknown) table. If this is not the case we try and assign values 
to St[jt] and proceed from there. Assume now that Zt equals Zf+i- Then in our 
algorithm at time t + 1 the condition in step 2 is satisfied, since the value of Zt 
was used in an assignment in a previous step without reaching a contradiction, 
since we assume we are at time t + 1. Thus, the performance of the algorithm 
can be improved if many of the given words are equal. We have incorporated 
this in the above approximations, but we leave out the exact details. Table ^ 
lists the results of our tests for versions of RC4 with n = 4, 5. It follows that the 
performance of our algorithm for RC4 with n = 5 increases with more than a 
factor of two if the first two words of the given stream are equal, and that the 
improvement is a factor of about 2^“^ if the first k words are equal. Clearly, a 
similar phenomenon can be expected if the number of different values in the first 
k words of the stream is greater than 1, but small. 



Table 1. Approximations of the complexities of the attack on RC4, when the first k 
words in the target stream are equal. 



n 


k = 1 


fe = 2 


CO 

II 


II 


to 

II 




4 


221 


220.5 


219.9 


219.4 


218.9 


222 


5 


253 


251.6 


250.5 


249.4 


248.4 


258 



4.4 Experimental Results 

The first interesting value for n is n = 4, where the number of entries in So is 
16 and the number of possible initial tables is 16! = 2.09 • 10^^ ~ 2^'^. It turns 
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out that the basic algorithm for our attack always finds the correct initial table 
in a few seconds, which represents a considerable improvement over exhaustive 
search. It is interesting to compare our result for n = 4 with a result in |2]: the 
method developed in needs about output words of the RC4 stream 

cipher to detect a statistical deviation. This is about 2^® output words for RC4 
with n = 4, whereas we need 16 or 17 output words and about computations 
to find the correct initial table. 

As measure of complexity we take the total number of calls of the function 
guessit) that are necessary to find the initial table. For n = 4 the average number 
of function calls turns out to be about 2^°. For n = 5 the complexity of the attack 
is too high for the computing power we have available. Therefore, in simulations 
for n > 5 we accelerate the programs by giving the correct values of the first few 
entries of the S table. Experiments show that the amount of computing time 
can differ some orders of magnitude depending on the initial table to be found. 

In Table El we give the results of our experiments for parameter values n = 
4, . . . , 8. Hereby k denotes the number of preassigned entries 5'o[*], 1 < * < fc- 
Complexity means the average number of calls of the function guess{t) in the 
program with given parameter k in 1000 test cases. We should mention however, 
that the figures for the complexity are only rough estimates as the distribution 
for these numbers has a large variance. When the k preassigned entries have 
wrong values, the search terminates rather quickly with a contradiction in most 
cases. For fc > 0 the total complexity is computed as the number N of all 
possible choices of the first k entries multiplied by the average complexity. Note 
that N is computed as 2"!/(2" — k)l. It can be seen that our test results for 
the cases n = 4 and 5 correspond well to the estimated complexity given in 
Sect. 14. 2L Furthermore, for n = 5, k = 3 one can apply a program variant 
using the statistical property as described in Sect. 14.11 It turns out that the 
complexity in this case is about 2^°, thus the total complexity is about 2"^®. 
However the algorithm often terminates unsuccessfully. The average success rate 
may be below 50%. For comparison, in the last column of Table El the magnitude 
of square root of 2”! is shown. It follows that the estimated total complexity is 
slightly below the square root of 2”!. 

We already mentioned that our search algorithm works better if the first 
words of the output stream are equal. We close this section by listing the results 
for RC4 with n = 4 in Table 0 and leave it as an open question how large the 
improvement is for RC4 with n > 4 in these cases. 

5 A Possible Improvement 

In this section we explain a technique that can be used to improve the efficiency 
of the RC4 attack of Sect. 2J 

5.1 Description 

The basic principle of the technique is the following. The initial state of the 
permutation table S depends on the cipher key and is unknown. We assume that 
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Table 2. Complexities of attacks on n-bit RC4. One column gives estimates based on 
the analytical calculations of Sect. lOl Other values are based on extrapolations of 
experimental results on simplified versions (preassigning k values). It follows that the 
(total) complexities are close to VS"-!. 



n 


calculated 


experimental 




k 


complexity 


k 


complexity 


total complexity 


3 


0 


2 ® 


0 


2 ® 


2 ® 


2 ® 


4 


0 


221 


0 


220 


220 


222 


5 


0 


253 


7 


221 


255 


258 


6 


0 


2132 


20 


223 


213 ® 


2148 


7 


0 


2324 


45 


226 


2302 


2358 


8 


0 


2779 


100 


230 


2797 


2842 



Table 3. Complexities of the attack on RC4 with n = 4, when the first k words in the 
target stream are equal, averaged over 1000 tests. 



n 


k = 1 


k^2 


co 


II 




4 


220.5 


219.5 


2l®.4 


217.6 


222 



all 2”! possibilities are equally likely, or that the a priori probability distribution 
of Sq is uniform. We observe the generated values Zt and try to calculate an a 
posteriori probability distribution for Sq. The method can easily be extended to 
deal with a non-uniform a priori probability distribution. 

We represent our information about the value of j and the state of S by means 
of probability distributions. We define the functions ft as /t(a) = Pr(jt = a) and 
the array of functions gt as gt[x]{a) = Pr(S't[a;] = a). Since we know that jg = 0, 
the function /g is 1 at the origin, and zero elsewhere. Also, because S' is a 
permutation at all times, we know that for all values of t and for a G [0,255]: 
Et~o'9t[x]{a) = l. 

During the attack we observe the generated key stream Zt,t = 0,1 , and 
we try to extract information about the value of j and the state of S after 
iteration t, by using (0 and Bayes’ rule. The extracted information is manifest 
in the functions ft and gt[x]: the closer these functions are to a delta- function, 
the less uncertainty we have about the values of jt and St [x] . 

In order to calculate the updated probability distributions, we have to take 
into account two effects: observation of Zt, which gives us more information, 
or “narrows” the probability distributions, and the change of state for j and 
two elements of S, which tends to “flatten” the probability distributions. The 
derivation of the rules for updating the probability distributions is given in Ap- 
pendix^ We assume that the different entries of St are independent from each 
other, except that there cannot be two equal values because St is a permutation. 
This assumption is only an approximation. 
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5.2 Implementation 

The algorithm reads one word of the key stream and calculates the values for fi 
and gi [z] . The complexity is determined by the determination of gi : for each of 
the 2” cc-entries there are 2" probabilities to calculate and every probability is 
the sum of (2")^ terms (cf. (I24II 1 . This gives a total complexity of 2®” steps for 
each value Zt that is analyzed. In theory, we need less than 2" values in order 
to determine the initial table uniquely. 

Since the complexity of this algorithm is too high to test it on the full version 
of RC4, we tested it with a table that is partially filled in correctly, adapting 
the probability distributions accordingly. A partially filled table can result in a 
unique determination of ji, j 2 , ... As long as jt is known, there is no “flattening 
effect” and the Bayes method works as predicted. Experimental results suggest 
that it is difficult to get convergence when the uncertainty on jt grows. A possible 
explanation for the convergence problems is that the dependence of the different 
entries of St on one another is too high to be neglected. If 160 entries or more 
of S'o are given, the algorithm always succeeds in completing the table, the 
complexity being less than 2^°. If 150 entries are given, the success ratio is 70%, 
and it is expected to drop very quickly from here. 

Figure 0 shows some experimental results for a simplified algorithm. The 
input of the algorithm consists of the values for k entries of Sq. The algorithm 
performs the attack, until knowledge of jt is lost. The algorithm restarts and 
processes the key stream again with the updated information on Sq until no 
new information is obtained anymore. Since jt is known, the complexity of the 
algorithm is reduced; it is now about fc(2" — k)^. The figure shows how many 
table entries can be successfully recovered as a function of k. One can deduce 
that the algorithm is most successful when k Ri 120. Since the algorithm does 
not output a complete table, we can use its output table as input for the attack 
of Sect. 0 Experiments suggest that for values of k between 100 and 200, the 
prior application of the simplified Bayes algorithm before starting the attack of 
Sect. 0 increases the efficiency. However, the problem of determining the first k 
values remains. Since the latter attack also works without predetermined entries 
of So, it could be used to generate a guess for these first k values. Estimating the 
complexity of attacks based on combining the Bayes technique with the attack 
of Sect. 21 is a rather involved task. We leave it as an open problem to which 
extent this combination will improve the attacks on RC4. 

6 Conclusions 

We have demonstrated several cryptanalytic algorithms on the alleged RC4 
stream cipher. The algorithms try to deduce the initial state in a known plain- 
text attack. First we demonstrated the importance of the swapping operation in 
RC4. Our results show that a less frequent use of the swapping operation enables 
stronger cryptanalytic attacks. 

The second algorithm has the best overall performance. It finds the correct 
initial state using only a small segment of known plaintext. The complexity of 
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Number of correct values before the Bayes step. 



Fig. 3. Average number of entries successfully recovered by the Bayes method as 
function of the number of known entries on beforehand. 



the attack was estimated by analytical calculations and verified by extensive 
testing. The complexity was approximated to be less than the time of searching 
through the square root of all possible initial states. We have also identified 
certain streams of words of RC4 for which the search algorithm has an increased 
performance. The third algorithm is based on probability theory. It involves no 
guessing, but it only works if a certain number of table entries is already known. 
Although our attacks are by far not practical for the specified word size of RC4, 
they give new intrinsic insight into the algorithm. It is our hope that our results 
will stimulate further research on RC4. 
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A Calculating the a Posteriori Probability Distributions 

There are two effects: observation of Zt, which gives us more information, or 
“narrows” the probability distributions, and the change of state for j and two 
elements of S, which tends to “flatten” the probability distributions. 



A.l The Change of the State 

The “flattening effect” is described by the following equations, denoting the new 
probability distribution functions with f\g'[x]: 

/t(«) = '^ft-i{a-b)gt-i[it]{b) (13) 

b 

9t[it]{y) = ^fi{b)gt-i[b]{y) (14) 

b 

9t[x]{y) = (1 - fi(x))gt-i[x]{y) + fi(x)gt-i[it]{y) ■ (15) 

Equation dnj corresponds to a convolution. 



A. 2 Observation of Z* 



The information of the known Zt value can be used to calculate the functions ft 
and gt[x]. Bayes’ rule gives the following equations: 



Pr(jt = a \ Zt = d) = 



Pr(jt = a) Pr(Zt = d \ jt = a) 



Pr(S't[a::] = y \ Zt = d) = 



Pr(Zt = d) 

Pr(S'4a:] = y) Pr(Zt = d \ St[x] = y) 



Pv{Zt = d) 

In terms of ft and gt[x\ this becomes 

/t'(a) Pr(^t = d\jt= a) 



ft{a) = 



9t[x]{y) = 



Pr(Zt = d) 
g't[x\{y)Pv{Zt = d\ St[x] = y) 



(16) 

(17) 

(18) 
(19) 



Pr(Zt = d) 

The remaining probabilities can be expressed as functions of ft and g't[x\. 
Equation m gives for the probability distribution of Zt: 

PifZt = d) = Y.Y.Y. + c] = d). (20) 

a b c 



We do not need to calculate the probability Pr{Zt = d) explicitly, because it can 
be determined from the renormalization requirements: 



Pr(ji =a \ Zt = d) = I 

a 

^Pr(5t[a:] = y \ Zt = d) = 1 . 
y 
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The value Pr(Zt = d j jt = a) can be calculated as 

Pr(Zt = d I jt = a) = ^^Pr(5't[a] = b,St[it] = c,St[b+c] = d) (21) 

b c 

= ^ ^ Pr(S't [a] = b) Pr{St [it] = c | S'* [a] = b) 

b c 

Pv{St[b + c] = d I 5t[a] = b, Stitt] = c) . (22) 



In order to rewrite this in terms of ft and g't[x], we assume that for two different 
values xi,X 2 , the values of S't[xi] and S't[x 2 ] are independent. 

— Pr(5t[a] = b)= 9 't[a]{b). 

— Pr(S't[it] = c I S't[a] = b): if both it = a and c = b, the probability is 
one; if only one of the equalities holds, the probability is zero; else it is 
Pr(S’t[it] = c)/(l - Pr(S'Jb] = b)) = g[[it]{c)/{\ - g't[it]{b)). 

— Pr(S't[6 + c] = d I S't[a] = b, St[it] = c): In the generic case, the probability is 
PT{St[b + c] = d)/{l-PT{St[b+c] = b)-PT{St[b+c] = c))=g't[b + c]{d)/{l- 
g't[b + c](6) — g'^[b+ c](c)). Special cases occur when a = it, b = c, a = b + c, 
d = b, it = b + c, and/or c = d. 

Similarly, the value of Pr(Zt = d | = y) can be calculated as 

Pr{Zt = d \ St[x]= y) 

= = b,St[it] = c,St[b+c] = d \ St[x] = y) (23) 

a b c 

= EEE Pr(jt = a I = y) Pr(S't[a] = b \ St[x] = y,jt = a) 

a b c 

Pr(S't[it] = c \ St[x]= y,jt = a, 5*4 [a] = b) 

Pr(S't[&+ c] = d\ St[x] = y,jt = a,St[a] = b, St[it] = c) . (24) 



These equations can also be reworked in terms of // and [x] . 
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Abstract. The Shrinking Generator and the Alternating Step Generator 
are two of the most well known clock-controlled stream ciphers. We con- 
sider correlation attacks on these two generators, based on an identified 
relation to the decoding problem for the deletion channel and the ins- 
ertion channel, respectively. Several ways of reducing the decoding com- 
plexity are proposed and investigated, resulting in “divide-and-conquer” 
attacks on the two generators having considerably lower complexity than 
previously known attacks. 



1 Introduction 

A binary additive stream cipher is a synchronous stream cipher in which the 
keystream, the plaintext and the ciphertext are sequences of binary digits. The 
output of the keystream generator, zi,Z2,.. ■ is added bitwise to the plaintext 
sequence mi, m2, . . ., producing the ciphertext ci,C2, . . .. Each secret key k as 
input to the keystream generator corresponds to an output sequence. Since the 
secret key k is shared between the transmitter and the receiver, the receiver 
can decrypt by adding the output of the keystream generator to the ciphertext, 
obtaining the message sequence. 

The goal in stream cipher design is to efficiently produce random-looking 
sequences that in some sense are “indistinguishable” from truly random sequen- 
ces. From a cryptanalysis point of view, a good stream cipher should be resistant 
against a known-plaintext attack. In a known-plaintext attack the cryptanalyst is 
given a plaintext and the corresponding ciphertext, and the task is to determine 
a key k. For a synchronous stream cipher, this is equivalent to the problem of 
finding the key k that produced a given keystream zi, Z2, ■ ■ ■ , Zn- 

In stream cipher design, one usually use linear feedback shift registers, LFSRs, 
as building blocks in different ways, and the secret key is often used as the initial 
state of the LFSRs. A general methodology for producing random-like sequen- 
ces from LFSRs that recently has been popular is using the output of one or 
more LFSRs to control the clock of other LFSRs. The purpose is to destroy the 
linearity of the LFSR sequences and hence provide the resulting sequence with 
a large linear complexity. 

* Supported by the Foundation for Strategic Research - PCC under Grant 97-130. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 342-|^^^ 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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The most important general attacks on LFSR-based stream ciphers are cor- 
relation attacks. Basically, if one can in some way detect a correlation between 
the known output sequence and the output of one individual LFSR, this can be 
used in a “divide-and-conquer” attack on the individual LFSR 113111151^1 . 

Two of the most well known clock-controlled stream ciphers are the Shrin- 
king generator and the Alternating step generator. In this paper we consider 
correlation attacks on these two generators. Some basic attacks have been con- 
sidered when the generators were introduced P and 0, and further studies in 
0 and 0. For an overview, see IT^ . 

Our considerations are based on an identified relation to the decoding pro- 
blem on the deletion channel and the insertion channel, respectively. Several 
ways of reducing the decoding complexity are proposed and investigated, re- 
sulting in “divide-and-conquer” attacks on the two generators mentioned above 
having considerably lower complexity than previously known attacks. For exam- 
ple, for the Shrinking generator with shift register length 61 as suggested in uni, 
but with known feedback polynomial, the complexity of breaking this genera- 
tor is reduced from around 2®° P to 2'^^ — depending on the length of the 
received sequence. 

In Section 2 we describe the Shrinking generator and the Alternating step 
generator, respectively. We also show the relation to the decoding problem for 
the deletion/insertion channel. In Section 3 we consider a procedure for MAP 
decoding on the deletion channel. In Section 4 we propose a suboptimal MAP 
decoding procedure with reduced complexity and then demonstrate how cer- 
tain “weak” subsequences that appear in the output sequence can be used to 
further reduce the complexity of a “divide-and-conquer” attack on the Shrin- 
king generator. In Section 5 and 6 the same ideas are used on the Alternating 
step generator and the insertion channel, essentially showing the same type of 
complexity reduction. 



2 Preliminaries 

The Shrinking Generator, or SG for short, uses two sources of pseudorandom 
bits to create a third source of pseudorandom bits, having better cryptographic 
quality than the original sources. The output sequence is a subsequence of the 
first source, which is selected according to the values of the second source. The 
two original sources are in the proposal 0 chosen to be two maximal length 
linear feedback shift registers (LFSR). 

The output sequence is more precisely defined as follows. Let a = oi, 02 , . . . 
denote the output of the first LFSR, denoted LFSRa, and let s = si,S 2 ,... 
denote the output of the second LFSR, denoted LFSRs. The two LFSRs have 
length La and Ls respectively. The output sequence of the generator, denoted 
z = zi,Z 2 , . . ., is the sequence obtained from a = oi, 02 , ■ • . by removing all a^’s 
for which Si = 0. This is depicted in Figured 

The Alternating Step Generator, or ASG for short, is closely related to the 
stop-and-go generator and was proposed by Gunther 0 in 1987. See jHj for a 
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output Oi 
discard at 



Fig. 1. The Shrinking Generator 



further description of the ASG. Let us describe a modified version of the ASG, 
which we call ASG’. 

Description of ASG’: Again, we have three LFSRs, where LFSRs controls the 

clock of the two other LFSRs. Let LFSR 5 generate the sequence s = si, S2) 

If Si = 1 then the output symbol Zi is the output symbol from LFSR^i, and 
LFSRa is clocked. Otherwise, if Si = 0 then the output symbol Zi is the output 
symbol from LFSRs, and LFSRs is clocked. The ASG’ is shown in Figure El 
It is not hard to show that ASG and ASG’ are equivalent and hence we only 




Fig. 2. The modified Alternating Step Generator, ASG’. 



consider the ASG’ in the sequel. 

In the case of the SG, it was observed by Golic and O’Gonnor ^ that the 
sequence a can be recovered from the output sequence z if we can solve the 
corresponding decoding problem on the deletion channel. The deletion/insertion 
channel is a communication channel where the input symbols are deleted with a 
probability p and between any two undeleted input symbols i random symbols 
are inserted with distribution P(i insertions) = ( 7*(1 — g), i > 0. If there are no 
insertions we call the channel the deletion channel, and if there are no deletions 
we call it the insertion channel. 

For the SG we regard the sequence s from LFSRs as random and try to 
decode the output z to the correct sequence a. It can be easily verified that if 
we assume that the sequence a = oi, 02 , . . . is the input to the deletion channel 
and the sequence z = zi, Z 2 , ■ . ■ is the output, the requirements for the deletion 
channel is fulfilled and the parameter p is p = 1/2. Since there are only 2^-^ 
possible input sequences an output sequence is uniquely decodable if it is long 
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enough and if the channel has a positive channel capacity [3 • With a fixed set of 
possible initial states we decode by simply checking each possible sequence with 
a MAP decoding algorithm, to be described in Section 5 . 

Having modified the ASG to ASG’ we can then see that if we assume that the 
sequence a = oi, 02, . . . is the input to the insertion channel and the sequence 
z = zi, 22, ■ • ■ is the output, the requirements for the insertion channel is fulfilled 
and the parameter g is q = 1 / 2 . 



3 MAP Decoding on the Deletion Channel 

By definition, a MAP decoding algorithm finds an input sequence a that for gi- 
ven z maximizes P(a transmittedjz received), whereas a ML decoding algorithm 
finds a sequence a maximizing P(z receivedja transmitted). The derivation to 
be given is related to m- 

Assume that Oi,...,ai^ is the given initial state of LFSR^ at time zero. 
Each initial state gives rise to a corresponding infinite sequence a = oi, 02, . . .. 
Denote by A the set of possible sequences. Assume also that the output sequence 
z is an infinite sequence z = zi,Z2,. ■ ■ obtained by transmitting some sequence 
a over the deletion channel, i.e. the sequence a = 01,02... gives the output 
z = zi,Z2---- Let A = Ai,A2,... and Z = ^1,^2,... be the corresponding 
random variables. Gontinuing, we consider input sequences of fixed length t. 
Thus let a* denote the sequence a* = oi, 02, . . . , o*, and let A* = Ai, A2, . . . , A* 
be the corresponding random variable. For a fixed length t the MAP decoding 
procedure calculates 

P(A‘ = a‘|Z = z), ( 1 ) 

for all sequences in A and selects a sequence a. £ A maximizing (PJ. 

The length of the output sequence after t input symbols can be any value in 
[ 0 ,t]. Hence, introduce the random variables Eis the number of output 

symbols after t input symbols. We can then write the above equation as 

t 

P(A* = a‘|Z = z) = ^ P(A‘ = a*, = i\Z = z). ( 2 ) 

i=0 

The calculation of P(A* = a*,cj>t = *|Z = z) can then be done iteratively by 
observing that 

P(A* = a‘,^ 6 t=i|Z = z)= ( 3 ) 

P(A*“^ = = i|Z = z)P{At = at, (pt = = i, Z = z) 

+ P(A‘“^ = a*“^, bt-i = i — 1 |Z = z)P{At = at, (j>t = = i — 1 , Z = z). 

We further observe that 



P(At = at,(t)t = #i-i = f, Z = z) = -, 



( 4 ) 



346 



T. Johansson 



since a deletion occurs with probability 1/2 and then At = at also with proba- 
bility 1/2. Furthermore 

P{At = at,4>t = = * - 1, Z = z) = I 5 , (5) 

because in this case there should be no deletion, which occur with probability 
1/2. Then At = Zi and thus At = at has probability 1 if a* = Zi and 0 otherwise. 

With given sequences a, z, each A* = a‘, = i, 0 < t T, 0 < i < T can be 

considered as a node, denoted (t, i). Then the iterative calculation gives rise to a 
trellis, where P(A‘ = a‘, (f>t = i\Z — z) is the metric associated with each node. 
For simplicity, denote P(A* = = *|Z = z) simply by The metric 

of new nodes will be updated according to whether a* = Zi or not. The metric 
update is obtained by combining OSj), ® and 0 as 

l,i)^ + l)^(5(ot,Zi), (6) 

where 

^(^’2/) = {ofthe7Jse ' 

As previously shown, we have 



t 

P(A‘ = a‘|Z = z) = y] i). 

i=0 

Let N{t, i) be the number of different paths from node (0, 0) to node (t, i). Then 
n{t,i) = A(t,z)/2^*“L This implies that we only have to consider the number 
of paths to each node (t,i) and that we can choose N{t,i) as the metric to 
calculate. The advantage is that N{t,i) is always an integer. The metric update 
using N{t, i) is 



N{t, i) = N(t -l,i) + N(t - 1, z - l)(5(at, zi), (7) 

with initial value A(0, 0) = 1. We illustrate the procedure of creating the trellis 
and calculating the iV(t, i) metric by a small example given in Figure 0 

As stated for the probabilistic attack described in 0 the length of the se- 
quence on which the decoding is performed need to be at least HLa for unique 
decoding, and we here choose to use the length 4L^. A straightforward imple- 
mentation of the MAP decoding procedure is quadratic in the length. Hence the 
obtained complexity will be roughly (4Lyi)^ simple operations (about (4Lyi)^/4 
nodes in the trellis each requiring one calculation of /i(t, i)). 



4 Reduced Complexity Decoding — Deletion Channel 

We reduce the decoding complexity using two different approaches. Firstly, we 
propose and examine a suboptimal decoding algorithm, i.e., an algorithm with 
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ffll = 0 02 = 1 03 = 0 04 = 1 05 = 1 06 = 0 




Fig. 3. A trellis with metric N{t, i) for a = 0, 1, 0, 1,1,0,... and z = 0, 1, 1, 0, . . .. 



reduced complexity that has an almost optimal behavior. We use a stopping rule 
for the decision together with a list decoding approach (we keep only a fixed 
number of nodes at each time instant). Properties of this suboptimal decoding 
procedure is considered in the appendix. Let Cmap' be the expected complexity 
of testing one sequence with the above suboptimal algorithm. The algorithm 
implies a divide-and-conquer attack on LFSRyi by exhaustively testing all initial 
states. The complexity of such an attack is then approximately 2^^ ■ Cmap'- 
Our second objective is to demonstrate that certain subsequences of the 
output sequence are weak in the sense that when they occur, they can be used 
to find the initial state of LFSR^ with lower complexity than exhaustively testing 
as mentioned above. 

Assume that the output sequence Z = Zi,Z 2 ,... contains a subsequence 
zt, Zt+1, • ■ • , Zt+m such that either 

{zt, zt+1, . • . , zt+m) = (0, 0, . . . , 0, 1 , 0, . . . , 0) (8) 



or 

(•2^T 5 ZX-\-l 5 ■ ■ ■ 5 Z'J' +m) (9) 

The subsequence zt, zt+i^ ■ • ■ , zt+m is of length M + 1. W.l.o.g we can assume 
that (0 holds. Define the time t to be zero exactly where the occurrence of the 
single 1 is in the subsequence. In our notation, this means that oq = 1 and 
So = 1- Let us now calculate P(a\ = 0) as follows. 



P(ai = 0) = P(ai = 0|si = 0)P(si = 0) + P(ai = 0|si = l)P(si 



3 

4’ 



1 ) ( 10 ) 
( 11 ) 
( 12 ) 



since if si = 1 then oi = zi = 0, and if si = 0 then ai take any value in {0, 1} 
with approximately equal probability. 
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The same arguments as above can be applied to P{a 2 = 0) etc, as well as to 
P{a-i = 0) etc, and it is clear that 



Furthermore, the deletion rate is 1/2. Hence, assuming Mi deletions appearing 
in o_ 2 Mi, • ■ ■ , a_i, and M 2 deletions in oi, . . . , a 2 M 2 i we would end up with 



If the number of deletions is not exactly M\ and M 2 respectively, they are at 
least close to these values and the distribution is close to the above. 

With such a strong correlation identified, we can use it to reduce the com- 
plexity of the exhaustive search. We simply define the initial state to include the 
positions a_ 2 Mi j ■ • ■ j 02 M 2 and search according to the above distribution. This 
idea can then be extended in different ways. We here examine three different 
approaches. 

A. Direct exhaustive search: Using the proposed decoding procedure in the 

appendix we exhaustively search all 2^^ initial states. The complexity of 
finding the correct initial state is on average Cmap' ' and the length 

of z can be very small. 

B. Search using one weak subsequence: We identify one weak subsequence 

of the form (0 or 0 of length M+1. Assume 2M < — 1. Define the initial 

state to include the 2M + 1 index positions for which (H3l hold, possibly 
together with some additional index positions. Search through all initial 
states having at most M/2 I’s in the corresponding 2M index positions and 
Oq = 1, using the proposed decoding procedure. If the correct initial state is 
not found, an error is declared. The complexity of finding the correct initial 
state is on average approximately 



and the required expected length of 2 for the weak subsequence to occur is 
approximately 2^ /M. 

C. Search using several weak subsequences: We identify W weak subse- 
quences of the form 0 or 0 all of length M +1, where M < La — I- Then 
define the initial state to include the 2M + 1 index positions for which (nn) 
hold, possibly together with some additional index positions. Search through 
all initial states having at most w ones in the corresponding 2M index positi- 
ons and tto = 1, using the proposed decoding procedure. If the correct initial 
state is not found, take a new weak subsequence and do the same again. If 
the correct initial state is not found after all weak subsequences have been 
used, an error is declared. 





(13) 
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The complexity is approximately C'map> ■ W 2^^ ^ ^ j , and the ex- 

pected observed length of z for W weak subsequences to occur is approxi- 
mately W2^ /M. For the probability of finding the correct sequence to be 
large, W must be chosen such that 

W 

i=0 

In order to show different possibilities and choices of parameters we consider 
an example where LFSR^ of the SG has La = 61 with known feedback polyno- 
mial. Our attack then applies to any LFSRs having arbitrary degree Ls and pos- 
sibly unknown feedback polynomial. In a comparison we choose Lg Pi La = 61. 
(In cni it was suggested to choose length 61 — 64 for both LFSRs and using 
secret feedback polynomials). A very rough estimate of the complexity in simple 
instructions for recovering the initial state of LFSRa for different lengths of z 
and different methods are given in Tabled 





Length of z 




2^*^ 2"^^ 


Exhaustive search on LFSRs fl '4] 
Exhaustive search on LFSRa ^ 

A. 

B. 

C. with 2M = La — 1 


2hu 2^*^ 2^*^ 
277 2^7 2^7 
271 2^1 2^1 

258 256 2®® 
250 2« 



Table 1. Rough estimate of complexity for different attacks on the SG with La = 61. 



4.1 Comments on the Values of Table ID 

As described in the divide-and-conquer attack on LFSRs requires appro- 
ximately 2^^ L\ operations which for Lg ~ La = 61 is around 2®° independent 
of output length. Furthermore, using the probabilistic attack described in ^ in 
an exhaustive search requires approximately 2^^ ■ (4Ly^)^ operations, since the 
length of the sequence on which the decoding is performed need to be at least 
3Lyi for unique decoding (here chosen to be 4L^) and the decoding complexity 
is quadratic in the length. 

For method A., the complexity is 2^^ ■ Cmap', where the parameters of the 
suboptimal decoding algorithm is chosen such that Cmap' = giving an error 
probability of 0.34 as shown in the appendix. For method B., and output length 
220, M is chosen to be M = 25. We then search through all sequences with 
at most 13 ones in 2M = 50 index positions, one position fixed to 1, and the 



350 



T. Johansson 



remaining 10 positions arbitrarily. This gives complexity 




For output length or we have M = 30 and searching through all sequen- 
ces with at most 15 ones in 2M = 60 index positions, one position fixed to 1, 
gives complexity 



Finally, for method C., we only consider the case when M = 30, which rules out 
the length 2^°. For length 2^° we expect to find about 2 • 2^°/(2^^/31) = 31 weak 
subsequences of the form ® or (0. For each of these subsequences, we search 
through all sequences with at most 10 ones in 2M = 60 index positions (one 
position fixed to 1). The probability of the event that the correct sequence has 
10 or less ones in the 2M = 60 index positions is approximately 



Hence the probability that at least one such event occurring among the 31 trials 
is large. The complexity of this procedure is roughly 



bability that the correct sequence has 3 or less ones in the 2M = 60 index 
positions is 



Searching through all sequences with at most 3 ones in the 2M = 60 index 
positions gives complexity 



Note that in method A.-C. we only succeed with a certain probability when 
the selected a is correct, since the suboptimal MAP decoding fails with probabi- 
lity 0.34 etc.. If we want a very high probability of success, we can perform the 
whole process several times, each time on a new part of the output sequence. 
This slightly increases the complexity and the required length of the output 
sequence, compared to the above given numerical values. 






Finally, for output length 2^° we expect about 2^® weak subsequences. The pro- 
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4.2 Recovering the Initial State of LFSRs 

After having recovered the initial state of LFSR^, we need to recover initial 
state of LFSR 5 . This problem has not been addressed before. Due to the MAP 
decoding algorithm of Section 3, our candidate for initial state of LFSR^ is 
correct with arbitrarily large probability (just run the algorithm long enough). 
We now proceed as follows. Again, run the MAP decoding algorithm and create 
the trellis. We have 

p{st = 1|A = a, Z = z) = ^ P{4>t = i\A = a, Z = z)P{st = l\4>t = i, A = a, Z = z) 
= ^ P{<l)t = *1 A = a, Z = z)P(st = = i, At = at, Zt = Zi) 

and 

Furthermore, 

= i|A = a, Z = z) = , 

and hence we get 

P{st = 1|A = a, Z = z) = ^ Zi). 

This procedure creates an a posteriori probability for each symbol St- Restoring 
the s sequence is now exactly the problem of decoding a received word to its 
nearest codeword on a noisy channel. One advantage is that the received word is 
very long and hence different ways of doing a fast decoding can be applied. One 
possibility is to use an iterative decoding process as suggested in m for fast 
correlation attacks. Another simpler method is to search for positions where the 
a posteriori probability P{st = 1| A = a, Z = z) is very small. This means that 
these positions are very likely to have St = 0. After finding Ls such positions 
one can perform a search over sequences having a low weight on these positions. 
The complexity of recovering the initial state of LFSR 5 using this approach is 
very low, and more details will be given in the full paper. 



5 MAP Decoding on the Insertion Channel 

In order to consider the ASG, we now consider MAP decoding on the insertion 
channel. The procedure is almost identical to the decoding procedure for the 
deletion channel. From Bayes rule, 

P(A = a|Z* = z‘) = P(Z* = z‘|A = a) . 
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Since P{A = a) and P(Z = z) are both uniformly distributed it is clear that 
MAP and ML decoding is equivalent, i.e., 

maxP(A = a|Z* = z*) = maxP(Z* = z*|A = a). 

a a 

It will now be apparent that the easiest way to describe a decoding process 
is in the form of ML decoding. Define the random variables 4>t, t > 0 to be 
the number of symbols from a that has appeared in z after observing t symbols 
from z (i.e. after observing z*). Clearly, 

t 

P(Z‘ = z‘|A = a) = ^ P(Z‘ = z‘, = i\A = a), 

z=0 



and 

P(Z‘ = z‘,0t=i|A = a) = 

P(Z*-i = = i\A = a)P(Zt = 2 t, 4>t = = i, A = a) 

+P(Z‘“^ = = i — 1|A = a.)P{Zt = = i|z*“^,0t-i = i — 1, A = a). 

Furthermore, 

P{Zt = Zt,(j)t = i\4’t-i=i,^ = a) = ^ (14) 

since an insertion occurs with probability 1/2 and then Zt = Zt also with pro- 
bability 1/2. Finally 

P(Z, = - 1, A = a) = 1 1 . (15) 

We can now see that the ML decoding procedure in this case is exactly the 
MAP decoding procedure for the deletion channel if the sequences a and z are 
switched. Hence all the results from Section 3 are valid also for the insertion 
channel if a and z are switched. With this conclusion we leave the details out. 

6 Reduced Complexity Decoding — Insertion Channel 

The ML decoding algorithm demonstrated in the previous section implies a 
divide-and-conquer attack on the ASG’ by exhaustively testing all initial states 
of LFSR/i. The complexity of such an attack is then approximately 2^^ ■ Cmap'- 
We now demonstrate that again certain subsequences of the output sequence of 
the ASG’ are weak in the sense that when they occur, they can be used to find 
the initial state of LFSRa with lower complexity than exhaustively testing as 
mentioned above. 

The basic observation is the following. Assume that the output sequence z 
contains a subsequence Zt, zt+i, • ■ . , zt+m such that either 



{zt, zt+1, ■ • ■ , 2t-i-m-i) = (0, 0, . . . , 0) 



(16) 
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or 

{zt, zt+i, • ■ • > zt+m-i) = (1, 1, • ■ • , !)■ (17) 

Redefine the time t to be zero at time T and w.l.o.g assume dini. This means 
that now ( 20 , Z\, . . . , zm-i) = (0, 0, . . . , 0). Then assuming that at least M/2 of 
the symbols in (which has probability > 1/2) came from LFSR^, we have 
oo = 0,oi = 0,...,om/2 = 0- Hence one can perform an exhaustive search 
over all possible initial states of LFSR^ with the first M/2 index positions set 
to zero. This will reduce the complexity with a factor 2'^^^ compared with 
straightforward exhaustive search. 

Having described the basic idea, we can now improve the performance in 
several ways. Instead of subsequences of the form m or C3), we consider any 
sequences of length > M containing at most w ones (or at most w zeros). Each of 
the w ones comes from LFSRyi with probability 1 /2 and hence with probability 
2““ none of the ones comes from LFSRa. If this occur, the first (M — w)/2 
symbols of a are all zero with probability >1/2. Hence a possible procedure is 
as follows. 

1 . Search for a length M subsequence of z containing at most w ones (or zeros) . 

2. Let t be zero at the beginning of the subsequence and assume that ag = 
0, . . . , a(M-p )/2 = 0- Then perform an exhaustive search over the remaining 
index positions a(^M-w)/ 2 , • ■ • , clla-i- 

3. Go to 1. 

The conclusion is that by the basic observation the search is reduced by 
roughly a factor \/L where L is the length of the observed sequence, and by the 
above improvement the reduction factor can be made a bit larger. 

Finally, the concept of weak subsequences are always present for the two 
considered generators. It is always possible that a “very weak” subsequence 
appear, implying a successful attack with very low complexity, even though 
the probability of such a sequence is very low. For example, an subsequence of 
2Lj\ consecutive zeros or ones from the ASG’ implies a successful attack with 
complexity almost zero. 
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Appendix: A Suboptimal MAP Decoding Algorithm 

Introduce the random variables Xt = P(A* = a‘|Z = z), i.e., Xt = X)i=o *)■ 
Using the recursion m we have 



^ ^ 1 1 

Xt = lu) + lu- ^)Hat,Zi)), 






which simplifies to 



Nt — -h 2^t-l 



Introduce the random variables St = 2 — 



Xt-i 



Xt-i 



. Then 



Nt — -^Nt-i + -Nt-iSt — 2^t-l ^ 



and after taking logarithms one gets 



logXj = -1 -blog Xt-i -blog ^ ^ = -t + ^logt^^ 

i=l 

Clearly, for a being a random sequence P(at = Zi) = 1/2 for all t,i and hence 
E{St) = 1 implying E{ ) = 1. Now, the Jensen’s inequality | 2 ] states that 
if (log < log if (i^^) with equality only if St has a deterministic distri- 
bution. But St has not a deterministic distribution and hence if (log ) < 

log 1 = 0. Hence 

t 

E{logXt) = -t + Y,E{Y^, (18) 



where each E{Yi) < 0. 
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Next, consider a being the correct sequence. Then if Pt is the number of 
output symbols after t input symbols we have 



P{at = Zi) 



1 / 2 , iii^Pt 

3/4, ifi = Pt 



and hence E{St) = 1 + — l,Pt)). Without being able to formally prove 

the fact, simulations show that if (log ) > 0 for this case. Thus we have the 

same expression as in dED, but now with E{Yi) > 0. 

These facts have been investigated by simulations. The value of log Xt — t 
expressed in the form logX* — t = C ■ t have been investigated for different t, 
covering both cases (random sequence, correct sequence). The result is tabulated 
in Table 0 



log Xt-t 


t = Length of a* 


CORRECT a 


RANDOM a 


10 


0.090775 • t 


-0.096476 • t 


20 


0.072374 • t 


-0.097060 • t 


30 


0.064135 • t 


-0.083986 • t 


40 


0.059176 • t 


-0.069533 ■ t 


60 


0.053739 • t 


-0.057280 ■ t 


80 


0.050644 • t 


-0.051867 0 


100 


0.048625 • t 


-0.049880 • t 


200 


0.044149 • t 


-0.051356 • t 


500 


0.041362 • t 


-0.042727 • t 


1000 


0.040404 • t 


-0.036148 ■ t 


5000 




-0.033180 0 



Table 2. Tabulation of logXt — t for a being a correct/random sequence. 



Clearly, {Xt,t > 1} is a stochastic process, for which a stopping rule can 
be introduced. For implementation purposes, we simplify this to apply only on 
certain index positions, e.g., D ■ n for n = 1,2,... and some integer D. Such a 
stopping rule will introduce a small probability of error in our hypothesis testing 
problem, i.e., P(“not correct” |a “correct”) = e > 0. On the other hand, this will 
significantly reduce the computational complexity since in an exhaustive search 
the algorithm will terminate very quickly for most random sequences a. One also 
has to select a decision region for stopping/not stopping. Looking at Table 0 a 
suitable choice might be to stop if log 2ft — t < 0. 

Secondly, a closer look at fj,(t, i) for given t and a correct sequence a shows 
that the probability mass of /r(t, i) is concentrated to a few nodes {t, i) on each 
level. Therefore, one can consider a suboptimal decoding algorithm that only 
stores the L most probable nodes on each level. Furthermore, if Imax is the 
largest i such that N{t, i) yf 0, then the nodes {t, i),i = Imax-L+i, • ■ • , Imax is a 
good approximation of the L most probable nodes, which we use. 
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These considerations give the following proposed algorithm. 

1. Initialize 7V(0,0) = 1, Imax = 1- 

2. If (ii = then Imax — Imax 1- Update 

N{t, i) = N{t - I, z) + N{t - I, * - l)<5(at, Zi), 

for i = Imax T + I , . . . , Imax • 

3. If t = 0 (mod D) do the following. Calculate Xt = *) 

If log Xt—t<Q output “wrong sequence” and stop. If t > Tmax output “cor- 
rect sequence” and stop. 

4. Increase t by 1 and go to 2. 

The above algorithm is given to be easily understood. When implementing it, 
several steps above should be done differently. 

The performance of the algorithm relies on the relation between two impor- 
tant parameters, the probability of declaring a wrong sequence when having the 
correct one and the average complexity of the decoding algorithm for a random 
sequence (until it stops and outputs “wrong”). To measure the average comple- 
xity we consider the average depth of the trellis before stopping, i.e., if Tgtop is 
the value oit = D ■ n when the algorithm stops, i.e., when \ogXom — D ■ n < 0 
for the first n = 1,2,.... This is suitable since for a fixed number L of remaining 
states in each level of the trellis, the decoding complexity is (essentially) a linear 
function of Tgtop and hence the expected decoding complexity a linear function 
of E{Tstop)- Some simulated values of the above parameters are given in Table |3 
The final conclusion of this section is a choice of parameters for complexity cal- 



D 


P( “wrong” output 1 a correct) 


E{Tstop) 


10 


0.34 


25.4 


20 


0.24 


34.8 


30 


0.21 


50 


50 


0.16 


70 


100 


0.10 


117 


200 


0.01 


209 



Table 3. Performance of the proposed algorithm in terms of error probability and 
decoding complexity for different D when L = 10. 



culations. Selecting D = 1Q and L = 10 will give an error probability of 0.34 and 
expected trellis depth 25.4. In this case the expected number of nodes in the trel- 
lis is less than 200 (there are fewer than L nodes on each level in the beginning 
of the trellis). Each node requires a few instructions to be updated, resulting in 
a very rough estimate of Cmap' = simple operations as an average of the 
complexity of testing one sequence a. 
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Abstract. Two-party protocols have been considered for a long time. 
Currently, there is a renewed effort to revisit specific protocols to gain 
efficiency. As an example, one may quote the breakthrough of |BF93, 
bringing a new solution to the problem of secretly generating RSA keys, 
which itself goes back to the pioneering work by Yao |Yao8ffj . The All- 
Or-Nothing Disclosure of Secrets protocol (ANDOS) was introduced in 
1986 by Brassard, Crepeau and Robert |lhCk87| . It involves two parties, 
a vendor and a buyer, and allows the vendor, who holds several secrets, 
to disclose one of them to the buyer, with the guarantee that no infor- 
mation about the other secrets will be gained. Furthermore, the buyer 
can freely choose his secret and has the guarantee that the vendor will 
not be able to find out which secret he picked. In this paper, we present 
a new protocol which achieves the same functionality, but which is much 
more efficient and can easily be implemented. Our protocol is especially 
efficient when a large number of secrets is involved and it can be used in 
various applications. The proof of security involves a novel use of com- 
putational zero-knowledge techniques combined with semantic security. 



1 Introduction 

The All-Or-Nothing Disclosure of Secrets protocol was introduced in 1986 by 
Brassard, Crepeau and Robert IBEESq. It involves two parties, a vendor and a 
buyer, and allows the vendor, who holds several secrets, to disclose one of them 
to the buyer, with the guarantee that no information about the other secrets 
will be gained. Furthermore, the buyer can freely choose his secret and has the 
guarantee that the vendor will not be able to find out which secret he picked. 

As in IBCR.87) , we make the following assumption: we assume that the vendor 
is honest when he claims to be willing to disclose one secret, that is, he is not, 
for example, going to send junk or to swap several of his secrets. 

We will not discuss the issue of verification: it much depends on the tra- 
ding environment and can easily be achieved by additional protocols, possibly 
involving third parties. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 357-|^^3 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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Before presenting our protocol, it is interesting to note that the security we 
obtain slightly differs from what was obtained in |H( ;H,87| . While their protocol 
was computationally secure for the vendor and unconditionally secure for the 
buyer, our protocol provides unconditional security to the vendor and computa- 
tional security to the buyer. 

Our paper is organized as follows: we first present related work. Then we 
describe the properties required by the encryption systems we are going to use, 
and give a few examples of such systems. We next describe the algorithm itself, 
and we finally discuss its complexity and its practical cost. 

2 Related Work 

ANDOS is also known under the name One-out-of-t Strings Oblivious Transfer, 
denoted (*) — OT 2 when t secrets of k bits are involved. Historically, the first 
case considered was for t = 2 |Wie8,3| . Then came natural restrictions (t = 2 and 
k = 1) |KOI;8,3| . and natural extensions [HOH,87j (ANDOS). A large part of the 
work done on Oblivious Transfer aimed at finding efficient reductions of (|)— OT 2 
to (J) —0T\ jBOSHfij . In our context, we chose to keep the name ANDOS, as we 
are building our protocol without using reductions among Oblivious Transfers. 

Salomaa and Santean |SS90j have designed a very efficient ANDOS algorithm 
when several buyers are involved. The drawback is that they need a majority of 
honest buyers to achieve security. 

Another efficient ANDOS protocol is proposed in |NB94| . but relies on ad 
hoc assumptions. 

The problem of blind decoding was recently introduced by Sakurai and Ya- 
mane IS Y 971 and its goal appears close to ANDOS. In their scheme, the buyer 
is supposed to have an encrypted secret and has it decoded by the vendor in 
such a way that the vendor does not get any information either on the plaintext 
or on the vendor’s private key. However, the buyer might be able to combine 
several secrets in a single decoding, or might try to organize an oracle attack to 
recover the secret key (as in jSEinzi). Furthermore, to apply the scheme in an 
ANDOS setting, one has to assume that the buyer can anonymously recover the 
ciphertext for some specific secret, which, on the web for instance, seems to need 
in itself an ANDOS protocol if the encrypted secrets are not widely distributed. 

Finally, the schemes which are probably the most closely related to the AN- 
DOS problem are the Private Information Retrieval (PIR) schemes jOOKS9f)j . 
and more precisely the computational PIR schemes jdSZI. In PIR protocols, 
the vendor is a database, which can be modeled as holding bits of information, 
and the buyer is a user of the database who is willing to query the database 
privately. Still, there are two major differences between ANDOS and PIR pro- 
tocols: PIR schemes have only considered bit-per-bit retrieval so far and do not 
try to enforce any security for the database (a user might recover several bits in 
a single query). 
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3 The Encryption System 

We now describe the generic system that will be used throughout our protocol. 
It is a probabilistic encryption system with a few additional properties. The 
system that we use can be described as follows: 

— A security parameter n from which are derived several finite domains, {R(n), 
X{n), F(n)), which we identify with initial subsets of the integers. Thus we 
use R{n) for {cc : 0 < a: < r{n)}, X{n) for {a; : 0 < a; < a:(n)}, and similar 
notation for Y{n). 

— A public probabilistic encryption function / : R(n) x X{n) — > Y{n), and a 
private decryption algorithm g : Y(n) — ^ X(n), such that : 

V(r, a;) e i?(n) x X{n) g{f{r, a;)) = x 

Note that the existence of a decryption algorithm implies that the function 
is injective with respect to its second parameter, that is, for (ri,a:i), (r 2 ,a; 2 ) € 
R{n) X X{n), if f{n,xi) = f{r 2 ,X 2 ) then Xi = a; 2 - 

We now describe the further requirements needed for our protocols. 

1. We require that the encryption function is homomorphic, that is: 

V(ri, a;i), (r 2 , X 2 ) G R{n) x X{n), 

f{ri,xi)f{r 2 , X 2 ) = /(r- 3 , Xi + X 2 mod x{n)) 

where can be computed in polynomial time from ri,r 2 ,a:i and X 2 - (A 
similar definition was given in when x(n) = 2.) 

2. We ask that the encryption function has semantic security. Informally, this 
means that, for a polynomially bounded adversary, the analysis of a set of 
ciphertexts does not give more information about the cleartexts than what 
would be available without knowledge of the ciphertexts. We refer the reader 
to |(IM84| for a formal definition. 

3. We assume the existence of a reliable way to prove that the public parameters 
of the system were correctly constructed. This might be done with the help 
of a certification authority or by a zero-knowledge proof. For example, to 
prove the validity of a composite modulus, (e.g. the modulus is the product 
of exactly two primes), one could use the protocol described in |vd(IF88] . 

4. The last and exotic looking property is that the number 2 is invertible in 
X{n). The reason of this choice will appear later. 

5. From the previous properties, we can deduce two more, which we will use. 
The first one is the existence of a ’’hiding” function hide : R{n) x Y{n) — >■ 
Y (n), depending only on the public parameters of the system and such that: 

V(r, x) G R{n) x X{n), Vs G R{n) hide{s, {f{r, x)) = f{sr' mod r{n),x) 

where r' can be computed in polynomial time from r, x. As a matter of fact, 
hide can be defined by hide{s, x) = f{s, 0)a:: 
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6. The second property which is a consequence of the previous ones, is the 
existence of a way to prove that two ciphertexts represent the encryption 
of the same integer without revealing this integer. Let (ri, xi), (r 2 , ^ 2 ) S 
R{n) X X{n) and consider yi = f{ri,Xi) and 7/2 = fi'r 2 ,X 2 )- Then, there 
exists T 3 such that /(ri, a;i)//(r 2 , ^ 2 ) = /('C 3 ,a;i —X 2 mod x{n)). In order to 
prove that x\ = X 2 , one can simply reveal r 3 . Verification is performed by 
computing both yi/y 2 and /(r 3 , 0 ) and checking their equality. 

4 Sample Encryption Systems 

We present several encryption systems which satisfy the requirements described 
in the previous section. 

4.1 The Goldwasser-Micali Cryptosystem 

This encryption system was introduced in |CM84| . We only give a brief sketch 
of the system here and refer the reader to |CM84| for details. Note that this 
system satisfy all properties but property 4, and thus cannot be used. We only 
present it as it was the first example of a probabilistic encryption scheme. 

— It can only encrypt single bits. {x{n) = 2). 

— Let N be the product of two large primes, and y be an non quadratic residue 
modulo N . 

The encryption function / is f{r,x) = r^y^ mod N. 

Decryption is done by calculating (with the factorization of N) whether or 
not the ciphertext is a quadratic residue. 

— The semantic security of this system is proved in under the Quadratic 

Residuosity Assumption. 



4.2 The Benaloh Cryptosystem 

This encryption system was derived from the previous one and introduced in 
[IReuR7) . We only give a brief sketch of the system here and refer the reader to 
[IRen87j for details. 

— It can encrypt several bits. (x{n) usually varies from to 2^° depending 
on the required speed). 

— Let <l> denote the Euler Totient function. Let N be the product of two large 

primes, choose a prime n and an integer y so that n divides but 

does not divide <P{N) and y is a non residue modulo N. 

The encryption function / is f(r,x) = r'^y^ mod N. 

Decryption is done by calculating (with the knowledge of ^(n)) the residuo- 
sity class of the ciphertext modulo n. 

— The semantic security is implicit in jRen87j under the Prime Residuosity 
Assumption. 
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4.3 The Naccache-Stern Cryptosystem 

This system was recently introduced in IHSHBI- We only give a brief sketch of 
the system here and refer the reader to | fINS98| for details. 

— It can encrypt several bits (x(n) is usually around 

— Let ^ denote the Euler Totient function. Let N be the product of two large 

primes, choose ni, . . . , to be small primes so that for alH G {1, . . . ,p}, 
divides ^(JV) but nf does not divide Also choose y to be, for all i, a 

non nf^ residue modulo N. Set n = nr=i-.. 

The encryption function / is f(r,x) = r'^y^ mod N. 

Decryption is done by calculating (with the knowledge of ’^{n)) the resi- 
duosity class of the ciphertext modulo each of the rii and by recovering the 
cleartext by means of the Chinese remainder theorem. 

— The semantic security is proved in LNS98I under the Prime Residuosity As- 
sumption. 

4.4 The Okamoto-Uchiyama Cryptosystem 

We only give a brief sketch of the system here and refer the reader to 
for details. 

— It can encrypt several bits {x{n) is usually around 

— Let p and q be two large primes with p and q — 1 relatively prime. Let 
N = p^q. Let y G {TijnTd} such that the order of y^ mod p^ is p. 

The encryption function / is f{r,x) = r^y^ mod N. 

Decryption is performed by raising the encrypted message to the power p — 
1 and using the fact that it is easy to compute discrete logarithm in the 
subgroup {x G {7i/p^7t)*\x = 1 modp}. 

— The semantic security is proved in |OU^ under the p-subgroup Assumption. 

5 The new ANDOS Protocol 

5.1 Overview 

An ANDOS protocol involves two participants. The first one, who holds several 
secrets, will be called the vendor. The second one, who is willing to buy one of 
these secrets, will be called the buyer. 

Our basic idea is to have the buyer send an encrypted index of the secret he 
is willing to buy, and to let the vendor perform all computation on his side. The 
computation of the vendor takes as entries the buyer’s index and his own family 
of secrets. Provided the buyer’s index is valid, the result of this computation will 
be the corresponding secret, encrypted in such a way that only the buyer can 
properly decrypt it. The core of the protocol is to efficiently prove the validity 
of the index. Apart from the use of probabilistic homomorphic encryption, this 
proof method is our main technical contribution. Similar proofs have already 
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been investigated in [PS96| . but turn out to be much less efficient than the 
proposed one. 

The protocol is a one-round protocol, plus an additional interactive proof of 
validity. 



QUERY 



INTERACTIVE PROOE 



Fig. 1. The ANDOS protocol: the buyer sends his query, proves its validity, and gets 
the secret he selected 



5.2 Preliminary Zero-Knowledge Proof 

We present here a protocol which achieves the following: given 

— a probabilistic encryption system £ verifying the properties stated in 0 

— an integer t, 

— a security parameter k (not necessarily related to the security parameter of 
we obtain the following: 

— the buyer is able to convince the vendor that a sequence of t values represents 
the encryption of t — 1 zeros and a single 1, say xi, ... ,Xt, encrypted under 

— the protocol does not reveal any information on the index of the non-zero 
element, 

— any cheating buyer who attempts to perform the protocol with a sequence 
which is not of the proper form will fail with probability 1 — (4/5)^, 

The protocol goes as follows: The buyer first creates an encryption system £ 
verifying the properties stated in0 sends its public parameters to the vendor and 
proves their validity. He then picks t random numbers hi, . . . ,ht in R{n), and 
sends to the vendor the sequence a oft values v\ = f{hi,x\), . . . ,vt = f{ht, Xt), 
Then, they repeat k times the following steps: 
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1. The buyer sends a zero and a one in encrypted form. 

2. The vendor picks a random number between 1 and 5, and: 

Case 1 if the number is 1, asks the buyer to reveal the cleartexts correspon- 
ding to the encrypted pair. 

Case 2 else, he splits the set t} in two distinct random subsets A 

and B, computes a = t>i, mody(n) b = mod y{n), sends 

the buyer the sets A and B and asks him to prove (using property 5) 
that the pair (a, b) represents the same numbers as the encrypted pair 
he has sent in step 1. 



5.3 Correctness 

If the buyer is playing the protocol fairly (with a sequence a of the correct form), 
he will be able to answer all the vendor’s questions. 

Assume that the buyer is dishonest and is not playing the protocol fairly, 
but uses a sequence which does not have the requested form. We will show that, 
whatever strategy he uses, the cheating buyer cannot answer one round correctly 
with probability greater than 4/5. 

Let us first deal with the case where the sum (mod x(n)) of all the integers 
in the buyer’s sequence is not 1 . Recall that property 2 implies that multiplying 
several encrypted numbers gives the encryption of their sum (mod x(n)). 

When case 2 occurs, whatever the vendor picks for subsets A and B, the 
cleartexts corresponding to a and b cannot be 0 and 1. Hence, the buyer cannot 
answer case 1 and case 2 at the same time. 

Now, assume the sum of the numbers in the buyer’s sequence is 1, but that 
the sequence is not valid. Then at least two integers in the sequence are non-zero. 

Lemma 1. Assume that 2 is invertible in X{n). Let a\, . . . ,at be in X{n) with 
ai and aj non zero. Let A be a subset of {1, ... ,t} such that i ^ A, j ^ A. Define 
Aq = A, Ai = AU {i}, A 2 = AU {j}, A 3 = AU {i,j}. Then, none of the four 
pairs 

Pi = aJ 

q&Ai qiX 

can be equal. 

Proof. Let po = {u, f}. Then pi = {u + ai,v — a^}, p 2 = {u -I- aj,v — aj}, 
P 3 = {u + ai + a j , V — ai — aj}. Assume all the pairs coincide, then, 

— From Po and pi, we deduce that ai = v — u {or that = 0). 

— From Po and P2, we deduce that aj = v — u (or that aj = 0). 

— So, we can rewrite P3 = {u + 2ai, v — 2ai}. Hence, from po and P3, we deduce 
that 2o;j = V — u (which leads to ai = 0 ) or that 2ai = 0 (which also leads 
to = 0 as 2 is invertible). 

Hence, all cases lead to a contradiction. 
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From the lemma, it follows that a buyer who can answer case 1 is only able 
to satisfy at most 3/4 of the queries in case 2. Hence, at the end of the protocol, 
the vendor should be convinced, with probability 1 — (4/5)^, that the encrypted 
sequence he received is made of one 1 and t — 1 zeros. 

Remark 1. We can note that the previous lemma does not work if we use the 
Goldwasser-Micali encryption scheme (where x{n) = 2). And, as a matter of 
fact, when using this scheme, any sequence containing a odd number of 1 will 
pass the protocol. 

The proof that the protocol does not leak any information on the position of 
the non-zero element can be found in the appendix. 

5.4 The Protocol 

Let t be the number of secrets of the vendor, and let si,. . . ,St be the secrets 
themselves. 

Initialization The buyer creates an encryption system £, which verifies the pro- 
perties stated in 0 sends the public parameters of this system and proves 
their validity or provides a certificate. 

Secret Selection The buyer sends a sequence of t numbers, encrypted under £, 
and gives a zero-knowledge proof that there is actually t — 1 zeros and a one 
among them. Let f{ri,xi ), . . . , f{rt, Xt) be the t encrypted values. 

Vendor computation The vendor picks a random h and computes: 

t t 

S = hide{h, Xi)®*) = f{hr' mod r(n), XiSi mod x{n)) 

i=l i=l 

where r' can be computed in polynomial time from the and the Xi. 

Secret recovery Upon receipt of S', the buyer can retrieve mod x{n) 

which is equal to one of the Si, depending on his initial choice. 



5.5 Correctness 

The security for the buyer is a consequence of the security of the previous proof. 
Now, let us analyze what additional information the buyer could try to get. 

The questions of the vendor during the interactive proof of knowledge are 
coming from a random source which is unrelated from his secrets. Hence, the 
buyer might only be able to gain extra information (than the secret he retrieved) 
by analyzing the final reply string. 

When decrypting this reply string, the buyer gets the value of one secret, 
which cannot be of any help to figure out what other secrets are. To see this, 
consider the second parameter of the encryption function, namely: Z = hr' mod 
r{n). Let us fix the and the Si. r' is thus fixed. When h ranges over R{n), Z 
ranges over R{n) too. Hence, the distribution of Z on all the possible values of 
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h is uniform. This means that if we only fix the Vi and the very Sa retrieved by 
the buyer, the distribution of Z on all the possible values of h and the other Si 
is also uniform. Consequently, the buyer is unable to get any information from 
the analysis of S. 



5.6 Recovery of Large Secrets 

A problem occurs in case the secrets are larger than x{n). As a matter of fact, 
our protocol only allows the recovery of a secret modulo x{n). Nevertheless, this 
difficulty can easily be avoided. Simply split each secret into blocks of size lower 
than x{n), and apply the vendor computation, with the same query string, on 
the different sequences of blocks. The fact that the same query string is used 
provides the security, and allows a very small overhead: the query cost remains 
the same, and the reply cost is simply multiplied by the size of the larger secret 
divided by x(n). 

5.7 The Recursive Protocol 

The complexity of the protocol is 0{t), while in fact, we are only wishing to 
send an index, which could be achieved in 0(log<) without encryption (nor pri- 
vacy). By using the same trick as Kushilevitz and Ostrovsky |K()97j . we can 

reduce the query cost to while the reply cost is only increased to 

It is interesting to note that, by using the Naccache-Stern cryp- 
tosystem instead of the quadratic residuosity cryptosystem, we slightly improve 
their complexity result. 

We now proceed as follows: 

Let t be the number of secrets of the vendor, and let si, . . . , sj be the secrets 
themselves. Fix an integer m and split the t secrets into t/m buckets of m 
elements. The distribution of the secrets in each bucket is known by both parti- 
cipant (say the m first secrets in the first bucket, and so on), and the order of 
the secrets in each bucket is also fixed by the protocol. 

We now apply almost the same protocol as before, with a sequence of m 
integers: 

— The buyer sends his query and proves its validity. 

— The vendor performs the previous computation, for each bucket, with the 
same query string but keeps all the results. 

By applying the vendor computation independently to each bucket, we have 
virtually extracted a set of t/m secrets out of t secrets. So, we can apply the 
protocol again to this new set of secrets until the size of the set is less than 
m. The sole difference is that the secrets in the new set are encrypted and will 
necessarily be of size greater than x(n). This is not a problem as we know how 
to recover large secrets. Ultimately, when the number of secrets in the set is less 
than TO, we apply the basic protocol. 
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Of course, the size of the secrets will grow at each step. After, t/m steps, 
their size will be {y{n) / x{n)Y ^ times bigger than the original ones, so the value 
of m should be chosen to obtain the best tradeoff between the size of the query 
strings, and the reply string. 

Let us now analyze the complexity of this algorithm and discuss the values 
for m. 

5.8 Complexity 

Let L be the number of steps of the protocol. At each step we apply the protocol 
with m = rrii (hence t < Let us choose all the rrii equal, that is 

rrii = 

— The size of each of the query strings is: y{n)m,i bits, so the total communi- 
cation cost of the queries is: y{n) X^i=i = y{n)t^^^L. 

— If fc is fixed, the communication cost of the zero-knowledge proof is of the 
form C + Drui, so, the cost of the zero-knowledge proofs is (C -I- Dt^^^)L, 
where C and D are some constants (which depend on k). 

— The communication cost of the final reply string, (if we assume that the size 
of the original secrets is less than x{n)), is y{n){y{n) / x{n))^ . 

The global communication cost of the protocol, for t secrets, is 

CC = (t^/^(y(n) + D)+ C)L + y{n){y{n) / x{n))^ 

When we use the Naccache-Stern or the Okamoto-Uchiyama cryptosystem, 
the ratio y{n)/x{n) remains constant when n grows. Let E = y(n)/x{n). 

If we solve for the value of L which makes both terms equal, we get: 

L = 0{y/logt) 



which gives a complexity of: 

CC = 

This result is to be compared with the complexity obtained in [KUITT! , which 

ig 20(-\/logtlogy(n))^ 



6 Applications 

The possible applications of our ANDOS protocol are numerous, and we only 
briefly comment on them. It allows, for instance, the implementation of multi- 
players mental games as claimed in the original ANDOS paper [IRORR7] . 

It can also be used to implement a pay-per-access database with private 
queries. This case is a very straightforward application. The implementation 
issues, which are discussed in the next section, show that this would lead to a 
really practical protocol. 
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It can also serve as a building block for more complicated protocols, such 
as electronic voting, where the basic idea is to use an ANDOS protocol to dis- 
tribute ’’eligibility tokens”, which are used later to prove one’s right to vote 
INSShlllveilH . 

This protocol can also be used as an important building block in asymmetric 
traitor tracing jCFN94tPfi96] or asymmetric fingerprinting schemes |PS96IPW97j . 
In traitor tracing, the buyer can use our protocol in order to get a part of his 
key, say the half, while the other half would be chosen and kept by the vendor 
along with the query string. Tracing would be performed by comparing a set of 
recovered keys with the known halves, trial can be achieved by exhibiting the 
recovered key and the query string. An innocent buyer can prove himself inno- 
cent by revealing his cleartexts to show they do not match the recovered key. 
Details about these families of protocols, resistance against collusions, and good 
choices for sets of keys can be found in |Ph96IC T'lN 94IIjSf]?I) . 

For fingerprinting purposes, we can apply the very same process, but instead 
of sending back the selected secret, which would be chosen by the buyer among 
a set of acceptable fingerprints, the vendor would insert the (encrypted) secret 
inside the data to be fingerprinted, using the homomorphic properties of the 
encryption function (Prop. 2) and send this data to the buyer. The reader can 
find additional precision in |DM97| where the authors show the existence of a 
protocol for collusion-secure asymmetric fingerprinting with the help of what 
they define as a ’’committed” ANDOS protocol. This means that the buyer has 
to commit to the secret he is willing to buy at the beginning of the protocol, 
which is the case in our scheme. 



7 Implementation Issues 



Our protocol is very efficient for real-life applications, since it does not hide a 
very large constant beyond its asymptotic behavior. We give here a few examples 
of costs when the Naccache-Stern cryptosystem is used. 

A reasonable size for the modulus N, in order to prevent factorization, is 640 
bits. As suggested in |NS98j . we will choose n around 

Note that in order to perform an implementation of the protocols, several 
small tricks can be used to improve the communication cost by a constant factor. 
For instance, at the beginning of each round of the zero-knowledge proof, the 
buyer can send one encrypted bit, say f{hi,xi), instead of two, and then, in case 
2, can show the mapping between the pair {a, 6}, and the pair {/(ft,i,a::i)//(l, 1), 
/(1, 1)/ f{hi,xi)}. We assume that these tricks are used when computing the real 
costs. 

The table below summarizes the communication costs, in kilobits for diffe- 
rent values of the number of secrets and of the security parameter of the zero- 
knowledge proof. 
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t = 1000 


t = 10000 


t = 100000 


t = 1000000 


fc = 20 


94 


128 


176 


224 


O 

CO 

II 


119 


166 


214 


275 


o 

II 


145 


205 


252 


326 



With a 33600 modem, the protocol takes between 3 and 10 seconds to com- 
plete. This is a reasonable time to retrieve a key of up to 160 bits. If this key is 
used to decrypt a piece of data that has previously been retrieved anonymously 
(say on a newsgroup), the key retrieval time is likely to be small compared to 
the time needed to retrieve the encrypted data. 

If one is willing to directly retrieve large data, (e.g. images), the overhead due 
to our protocol is roughly a multiplicative factor of 16, which is important but 
reasonable. Of course, for too large data, the vendor computation becomes very 
important and might not be negligible any more compared to the transmission 
time. 

8 Conclusion 

The primary contribution of this paper is a new and efficient zero-knowledge 
protocol which allows to prove that a committed string contains one 1 and 
otherwise O’s. We would like to stress that this protocol is an important building 
block for many schemes. ANDOS in a straightforward manner, and from there 
asymmetric fingerprinting, asymmetric traitor tracing or electronic voting. As 
pointed out in the last section, it is efficient enough to allow, for the first time, 
a viable and provably secure implementation of an ANDOS protocol. 



Acknowledgments 

I am grateful to Jean- Jacques Quisquater for fruitful advices and many helpful 
hints, as well as to my fellow students at the UCL Crypto group for valuable 
discussions. I also wish to thank Markus Jakobsson and Miklos Santha for proof- 
reading the manuscript. 





References 



A New and Efficient All-Or-Nothing Disclosure 369 



BCR87. G. Brassard, C. Crepeau, and Jean-Marc Robert. All-or-nothing disclosure 
of secrets. In A.M. Odlyzko, editor, Proc. CRYPTO 86, pages 234-238. 
Springer- Verlag, 1987. Lecture Notes in Computer Science No. 263. 

BCS96. G. Brassard, C. Grepeau, and M. Santha. Oblivious transfers and intersec- 
ting codes. In IEEE Transactions on Information Theory, pages 1769-1780, 

1996. 

BD90. M. V. D. Burmester and Y. Desmedt. All languages in NP have divertible 
zero-knowledge proofs and arguments under cryptographic assumptions. In 
Advances in Cryptology — Eurocrypt ’90, pages 1-10, 1990. 

Ben87. J. D. G. Benaloh. Verifiable Secret-Ballot Elections. PhD thesis, Yale’s 
University, 1987. 

BF97. D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In 
B. S. Kaliski Jr, editor, Proc. CRYPTO ’97, number 1294 in Lecture Notes 
in Computer Science, pages 425-439, Springer- Verlag, 1997. 

BM97. I. Biehl and B. Meyer. Protocols for collusion secure asymmetric fingerprin- 
ting. In STACS ’97, pages 399-412, 1997. 

BS95. D. Boneh and J. Shaw. Collusion-secure fingerprinting for digital data, pages 
452-465. Springer, 1995. Lecture Notes in Computer Science No. 963. 
CFN94. B. Chor, A. Fiat, and M. Naor. Tracing traitors. In Y. G. Desmedt, edi- 
tor, Proc. CRYPTO ’95, pages 257-270. Springer, 1994. Lecture Notes in 
Gomputer Science No. 839. 

CG97. B. Chor and N. Gilboa. Computationally private information retrieval (ex- 
tended abstract). In Proceedings of the Twenty-Ninth Annual ACM Sym- 
posium on Theory of Computing, pages 304-313, El Paso, Texas, 4-6 May 

1997. 



CGKS95. B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan. Private information 
retrieval. In 36th Annual Symposium on Poundations of Computer Science, 
pages 41-50, Milwaukee, Wisconsin, 23-25 October 1995. IEEE. 

EGL83. S. Even, O. Goldreich, and A. Lempel. A randomized protocol for signing 
contracts. In R. L. Rivest, A. Sherman, and D. Chaum, editors, Proc. 
CRYPTO 82, pages 205-210, New York, 1983. Plenum Press. 

FFS88. U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. Journal 
of Cryptology, l(2):77-94, 1988. 

GM84. S. Goldwasser and S. Micali. Probabilistic encryption. JCSS, 28(2):270-299, 
April 1984. 

Ive91. K. R. Iversen. A cryptographic scheme for computerized general elections. 

In J. Feigenbaum, editor, Advances in Cryptology — CRYPTO ’91, volume 
576 of Lecture Notes in Computer Science, pages 405-419. Springer- Verlag, 
1992, 11-15 August 1991. 

K097. E. Kushilevitz and R. Ostrovsky. Replication is not needed: Single database, 
computationally-private information retrieval (extended abstract). In 38th 
Annual Symposium on Foundations of Computer Science, pages 364-373, 
Miami Beach, Florida, 20-22 October 1997. IEEE. 

NR94. V. Niemi and A. Renvall. Cryptographic protocols and voting. In Result 
and Trends in Theoretical Computer Science, number 812 in Lecture Notes 
in Computer Science, pages 307-316, 1994. 

NS98. D. Naccache and J. Stern. A new candidate trapdoor function. To appear 
in 5th ACM Symposium on Computer and Communications Security, 1998. 




370 



J.P. Stern 



NSS91. 

Oht97. 

OU98. 

Pfi96. 

PS96. 

PW97. 

SS90. 

SY97. 

vdGP88. 



Wie83. 

Yao86. 



H. Nurmi, A. Salomaa and L. Santean. Secret ballot elections in computer 
networks. In Computers and Security, volume 10, pages 553-560, 1991. 

K. Ohta. Remarks on blind decryption. In Information Security Workshop, 
pages 59-64, 1997. 

T. Okamoto and S. Uchiyama. An efficient public-key cryptosystem. In 
Advances in Cryptology — EUROCRYPT 98, pages 308-318, 1998. 

B. Pfitzmann. Trials of traced traitors. In R. Anderson, editor. Information 
Hiding, volume 1174 of Lecture Notes in Computer Science, pages 49-64, 
Springer- Verlag, 1996. 

B. Pfitzmann and M. Schunter. Asymmetric fingerprinting (extended ab- 
stract). In Ueli Maurer, editor, Advances in Cryptology — EUROCRYPT 96, 
volume 1070 of Lecture Notes in Computer Science, pages 84-95. Springer- 
Verlag, 12-16 May 1996. 

B. Pfitzmann and M. Waidner. Asymmetric fingerprinting for larger collu- 
sions. In fth ACM Conference on Computer and Communications Security, 
1997. 

A. Salomaa and L. Santean. Secret selling of secrets with several buyers. In 
42 th EATCS Bulletin, pages 178-186, 1990. 

K. Sakurai and Y. Yamane. Blind decoding, blind undeniable signatures, and 
their applications to privacy protection. In R. Anderson, editor. Information 
Hiding, pages 257-264. Springer- Verlag, 1997. Lecture Notes in Computer 
Science No. 1174. 

J. van de Graaf and R. Peralta. A simple and secure way to show the 
validity of your public key. In C. Pomerance, editor, Proc. CRYPTO ’87, 
pages 128-134. Springer- Verlag, 1988. Lecture Notes in Computer Science 
No. 293. 

S. Wiesner. Conjugate coding. In Sigact News, volume 18, pages 78-88, 
1983. Original manuscript written circa 1970. 

A. C. Yao. How to generate and exchange secrets. In Proc. 27th IEEE Symp. 
on Eoundations of Comp. Science, pages 162-167, Toronto, 1986. IEEE. 



A Proof of Claims of Section 15.21 

We now show that the protocol does not leak any information on the position 
of the non-zero element by constructing a simulator. We use a zero-knowledge 
type argument. (For more information on zero-knowledge proofs and simulators, 
see |KKS88) L However, it is important to stress that we do not prove in zero- 
knowledge that the commitment a is correct. This would entail a simulation of 
the protocol with input cr. Rather, we show how to simulate (up to computatio- 
nal indistiguishability) the whole protocol, including the commitment creation 
step. In other words, we show that the whole protocol is independent (up to com- 
putational indistiguishability) of the choice of the unique index of the buyer. 

We will do this in several steps. Consider the following simulator, that we 
call S{q,m): this simulator is given two inputs, m an integer in Y{n), which is 
an encryption of 1, and q an index in {1 , . . . ,t}. It works as follows: 

— First, he creates a sequence of t integers, all of which represent encryptions 
of 0, except for the one in position q which is simply the application of the 



A New and Efficient All-Or-Nothing Disclosure 371 



function hide on m. Let vi = f{ri,xi), .. .,Vt = f{rt,xt) be these integers 
(with Vq = hide{rq,m)). 

— Then the simulator anticipates the question of the vendor: he picks a random 
number between 1 and 5. He also chooses two random numbers hi and ft -2 
in R{n). 

— If he picks 1, he sends the pair {/(/ii, 0), /(/ 12 , 1)} else he sends the pair 
{f{hi, 0 ),hide{h 2 .,m)}. 

— He waits for the vendor question. If his guess is not correct, he resets and 
starts again, otherwise: 

— In Case 1, he reveals the cleartext corresponding to the encrypted pair. 

— Else, he receives two subsets A and B which are a partition of {1, . . . , t}. Sup- 

1~[ n TT Vi 

pose that q is in A. Then, the simulator sends the pair ^ — }; 

else he swaps hi and /i 2 - 

We will now prove that, for any pairs {q, q') G {!,..., t}, the outputs of the 
simulators S{q,m) and S{q',m) are indistiguishable by a polynomially bounded 
adversary. 

Fix q G {!,..., t}. The simulator S{q,m) simulates the protocol, (but this 
does not prove anything as he uses as input the index of the non-zero element 
in the initial sequence, together with a ciphertext of 1). 

Now consider the simulator S{q,m') when m! is an encryption of 0. The exi- 
stence of a polynomial (probabilistic) time algorithm which distinguishes bet- 
ween the outputs of both simulators would directly yield an algorithm which 
distinguishes between the encryption of a 0 and the encryption of a 1. This 
would go against the assumed semantic security of the system (property 3) . 

But, when m is a ciphertext of 0 the index q does not play any role any 
more, as each of the t integers of the initial sequence represents an encryption 
of 0. Let g' be in {1, ... , t}, q' yf q. The output of the simulator S{q', m') is thus 
indistinguishable from S{q,m'). And finally, with the same argument based on 
the semantic security, the output of S{q' ,m') is indistinguishable from S{q',m). 
This shows that our proof does not leak any information on the index of the 
non-zero element. 

Remark 2. The simulators we have considered work in expected polynomial time, 
while the assumption made on the semantic security only requires resistance 
against polynomial time algorithms. Actually, by limiting the number of resets 
to say kn (where k and n are the two security parameters in use), we complete 
the simulation of the k rounds with probability exponentially close to 1. This is 
enough for computational indistinguishability. 
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Abstract. A well-known cryptographic scenario is the following: a smart 
card wishes to compute an RSA signature with the help of an untrusted 
powerful server. Several protocols have been proposed to solve this pro- 
blem, and many have been broken. There exist two kinds of attacks 
against such protocols: passive attacks (where the server follows the in- 
structions) and active attacks (where the server may return false values). 
An open question in this field is the existence of efficient protocols (with- 
out expensive precomputations) provably secure against both passive 
and active attacks. At Crypto ’95, Beguin and Quisquater tried to an- 
swer this question by proposing an efficient protocol which was resistant 
against all known passive and active attacks. In this paper, we present a 
very effective lattice-based passive attack against this protocol. An im- 
plementation is able to recover the secret factorization of an RSA-512 or 
RSA-768 key in less than 5 minutes once the card has produced about 
50 signatures. The core of our attack is the basic notion of an orthogonal 
lattice which we introduced at Crypto ’97 as a cryptographic tool. 



1 Introduction 

Small units like chip cards or smart cards have the possibility of computing, 
storing and protecting data. Today, some of these cards include fast and secure 
coprocessors allowing to quickly perform the expensive operations needed by 
public key cryptosystems. But most of the cards are cheap cards with too limited 
computing power for such tasks. To overcome this problem, extensive research 
has been conducted under the generic name “server-aided secret computations” 
(SASC). In the SASC protocol, the client (the smart card) wants to perform a 
secret computation {e.g., RSA signature generation) by borrowing the computing 
power of an untrusted powerful server without revealing its secret information. 
One distinguishes two kinds of attacks against such protocols: attacks where the 
server respects the instructions are called passive attacks, while attacks where 
the server may return false computations are called active attacks. 

The first SASC protocol was proposed by Matsumoto, Kato and Imai |0| in 
the case of RSA signatures fj. Pfitzmann and Waidner m presented several 
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passive attacks against all the protocols of 0, and Anderson Q described an 
efficient active attack against one of the protocols of 0 • Several new protocols 
such as |8I5I4I2I7| have been proposed since. Among these, the protocol of Beguin 
and Quisquater 0 was quite attractive: it was relatively efficient (since it was 
based on the fast exponentiation algorithm due to Brickell, Gordon, McCurley 
and Wilson 0), did not require expensive precomputations (contrary to most 
of the proposed protocols), and was secure against all known passive and active 
attacks, including some lattice-based passive attacks. 

We present a very effective lattice-based passive attack against this protocol. 
Our implementation shows that a server is able to recover the secret factoriza- 
tion of the RSA key (512, 768 or 1024 bits) in less than 5 minutes, once the 
card has produced about 50 signatures, for all the choices of parameters sug- 
gested by Beguin and Quisquater. To run the attack, the server needs to store 
very few information. The core of our attack is the basic notion of an ortho- 
gonal lattice which we recently introduced as a cryptographic tool in |Ei). As 
in 1101121111 , this technique enables us to use the linearity hidden in the pro- 
tocol, and results in a simple heuristic attack which is devastating in pratice. 
An open question remains: does there exist a server-aided RSA signature pro- 
tocol which is both efficient (without requiring expensive precomputations) and 
provably secure against passive and active attacks ? 

The rest of the paper is organized as follows. In section 2, we make a short 
description of the Beguin-Quisquater server-aided RSA signature protocol. We 
refer to |2] for more details. In section 3, we recall some facts from m about 
the notion of an orthogonal lattice. Finally, we present our attack in section 4 
and the experiments in section 5. 



2 The Beguin-Quisquater Protocol 

Let n = pq he a, RSA public modulus with a secret exponent s and a public 
exponent v. We have su = 1 (mod ^(n)) with (/>(n) = (p — l)(g — 1). Denote by 
£(x) the bit-length of an integer x. Let t = max{i{p) , £{q)) — 1. In practice, one 
can assume that £{p) = £{q) = t + 1. Using the Extended Euclidean Algorithm, 
compute integers Wp and Wq less than n in absolute value such that Wp + Wq = 1, 
p divides Wp and q divides Wq. Thus, Upp = y (mod p) and Pq = y (mod q) then 
y = ypWq + PqWp (mod n). The protocol uses two integer parameters m and h, 
and is as follows: 

1. The card receives M to sign. 

2. The card chooses random integers cq, . . . , Um-i in {0, ... , h} and xq, . . . , Xm-i 
such that £{xi) <t — log 2 {mh) — 2. 

3. The card computes si = ^iXi- 

4. The card sends M,n,Xo, . . . , Xm-i to the server. 

5. The server returns zq, ■ • ■ , Zm-i where z, = mod n. 

6. The card computes Zp = ’^od p and Zq — i^iod q using 

the algorithm of P| for fast exponentiation with precomputation. 
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7. The card computes S 2 = s — si and represents S 2 under the form: 

CTp = S 2 mod (p - 1) + Qp{p - 1) 

(Tq = S2 mod (g - 1) + - 1) 

where Qp is a random number in {0, . . . ,q — 2} and Qq is a random number 
in {0, ...,p-2}. 

8. The card sends ap and aq to the server. 

9. The server computes and sends to the card yp = mod n and yq = M'^i 
mod n. 

10. The card computes Sp = ypZp mod p and Sq = yqZq mod q. 

11. Next, the card computes S = WqSp + WpSq mod n. 

12. The card verifies M = S'" mod n. 

13. If the verification is correct, then the card transmits S. 

In their paper |2], Beguin and Quisquater analyzed several passive and active 
attacks, including some lattice-based passive attacks. They concluded that their 
protocol was secure against all known passive and active attacks, for 4 different 
sets of parameters (valid for both RSA-512 and RSA-768), which are summarized 
in the following table: 





Case 1 


Case 2 


Case 3 


Case 4 


h 


10 


7 


17 


11 


m 


19 


22 


25 


29 



The resulting protocol was quite efficient. It only required about 30 modular 
multiplications for the card. The needed RAM and the data transfers between 
the card and the server were small, and the precomputations were not expensive. 

3 The Orthogonal Lattice 

We recall a few useful facts about the notion of an orthogonal lattice, which 
was introduced as a cryptographic tool in ^I]j. Let L be a lattice in Z" where 
n is any integer. The orthogonal lattice is defined as the set of elements 
in Z" which are orthogonal to all the lattice points of L, with respect to the 
usual dot product. We define the lattice L = which contains L and whose 

determinant divides the one of L. The results of ina which are of interest to us 
are the following two theorems: 

Theorem 1. If L is a lattice in Z", then dim(L) -1- dim(L'’“) = n and: 

det(L'*“) = det(Z). 

Thus, det(L-*-) divides det(L). This implies that if L is a low-dimensional lattice 
in Z", then a reduced basis of will consist of very short vectors compared to 
a reduced basis of L. In practice, most of the vectors of any reduced basis of 
are quite short, with norm around det(L)^/^”“'^™'^^. 
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Theorem 2. There exists an algorithm which, given as input a basis (bi, . . . , 
of a lattice L inTI^ , outputs an LLL-reduced basis of the orthogonal lattice , 
and whose running time is polynomial with respect to n, d and any upper bound 
of the bit-length of the ||bj||’s. 

In practice, one obtains a simple and very effective algorithm (which consists 
of a single lattice reduction, described in dl!) to compute a reduced basis of 
the orthogonal lattice, thanks to the celebrated LLL algorithm |S|. This means 
that, given a low-dimensional L in Z", one can easily compute many short and 
linearly independent vectors in L^. 



4 A Simple Attack 



Throughout the attack, only steps 2, 3, 7 and 8 of the protocol will be of interest. 

Assume that the card computes r -I- 1 signatures. Denote by 
\i] 

and fjq the values used by the card to compute the i-th signature. Define the 
following vectors in Z’" which consist of successive differences: 



Z\si = 
Aap = 
AcFq = 



rJ2]_ Jl] J3]_ 12] 

*1 5 *1 *1 5 ■ 

f^[2] _ ^[1] ^[3] _ ^[2] 
f^[2] _ ^[1] ^[3] _ ^[2] 



r+l] 



- S 



[r+l] _ 

■ * 1 ^p ^ 

[r+l] _ 

. . , Uq u 



) 

Wt 

P ) 

r') 



By definition of the 



(Tp ’s and Uq 's, the following equations hold: 



AcTp -I- Asi = 0 (mod p — 1) 
Aaq -I- Z\si = 0 (mod g — 1) 



( 1 ) 

(2) 



The server knows Aap and Aaq by step 8, but not Asi. These vectors were also 
considered by Beguin and Quisquater when they analyzed some lattice-based 
passive attacks, but this is the only similarity between these attacks and the 
attack we present. We will see that short vectors orthogonal to Aap (resp. Aaq) 
give information on q (resp. p). If we find enough such independent vectors, then 
q (resp. p) is revealed. Fortunately, the previous section shows that it is not hard 
to do so, provided that r is sufficiently large. 

We start with two simple remarks: 

Lemma 3. Let u S Z''. If uAAap then u_LZisi or ||u|| > {p — l)/||Z\si||. 

Proof. By (Q, we have u.Z\si = 0 (mod p—1) and the result follows by Cauchy- 
Schwarz. □ 



Lemma 4. Let u S Z''. If u_LZ\si then {q — 1) divides u.Aaq. 
Proof. Straightforward from Q. 



□ 
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This shows that if uLAup then {q — 1) divides u.Aaq, or ||u|| > {p— l)/||Z\si||. 
We notice that the latter case implies that u is relatively long, because the entries 
of Z\si are smaller than p — 1, as the following lemma shows: 

Lemma 5. Each entry of As i is in absolute value less than 2*“^. 

[il 

Proof. In Step 2, each is a sum of m integers of form ax where 0 < a < h 
and £{x) < [t — log 2 (m/i) — 2J . Therefore: 

0 < sf^ < < 2 *- 2 , 



The result follows. 



□ 



Actually, the previous upper bound is quite pessimistic. In practice, experiments 
show that when the choices of Step 2 are indeed random, the entries of As\ are 
in absolute value less than 2‘“®, and on the average around 2*“®. This has to 
be compared with £{p) = £{q) = t + 1. This phenomenon is explained by the 
following technical lemma: 

Lemma 6. If the random choices of Step 2 are independent and uniformly dis- 
tributed, then the entries of As\ have zero mean and a variance equal to 



(2/i+ 1)(2'= - l)(2'=+i - 1) , 22 '=/i2 

— mh-\ — (m — m) 

18 8 

where k is the integer [t — log 2 (m/i) — 2J . 

Proof. A simple calculation shows that: 



s h 

E{ai) = - 

7 ^ — 1 

E{xi) = 



E{aj) 



E{xl) 



h{2h+l) 

6 



(2'= - l)(2'=+i 
6 



1 ) 



Therefore E{s\) 



4 



mh and by independence. 



E{s\) = E 




mE{a^)E{x}f) + (m^ — m)E{ao)'^E{xo)^ . 



Hence, each entry of As± has zero mean and a variance equal to 2E(sf). □ 

Let cr be the standard deviation of the entries of As\. The following table gives 
the value of (t + 1) — log 2 a (which indicates the size difference between q — 1 
and the entries of Asi) for the 4 different choices of parameters. This value is 
almost independent of t: there is no difference between RSA-512, RSA-768 and 
RSA-1024. 
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Case 1 


Case 2 


Case 3 


Case 4 


h 


10 


7 


17 


11 


m 


19 


22 


25 


29 


(t -k 1) - log 2 a 


5.4 


5.7 


5.2 


5.7 



Thus, an orthogonal vector to Aap (resp. Acjq) is either relatively long, or 
such that g — 1 (resp. p — 1) divides its dot product with A(jq (resp. Aap). Note 
that, since vectors Aup and Aaq are generated using the random values pp^’s 
and Pg^’s, there is no intrinsic reason why a vector orthogonal to one of them 
should also be orthogonal to the other. Thus, if u is orthogonal to Aap, the 
dot product u.Aaq is a non zero multiple of g — 1. This implies that if we find 
several short vectors orthogonal to Aap (resp. Aaq), then g — 1 (resp. p—1) will 
be revealed by simple gcds. 

The previous section shows that one can expect to find (in polynomial time) 
many independent vectors orthogonal to Aap with norm around 

When r is sufficiently large, the vectors are short enough to reveal g — 1, and 
therefore the factorization. Finally, our attack is the following: 

1. Compute a reduced basis of (Aap)-^. 

2. Consider the shortest vectors in this basis (a few are enough) and compute 
their dot product with Aaq. 

3. Compute the gcd of all these dot products and check whether it is g — 1. 

In practice, only Step 1 takes a little time. Note that the server only needs to 
store the Cp^’s and the aq^’s (not even the signatures) to run the attack. 

5 Experiments 

We implemented the attack using the NTL package HS| which includes efficient 
lattice-reduction algorithms. We used the LLL floating point version with ex- 
tended exponent to compute orthogonal lattices, since the entries of Aap were 
too large (about the size of n) for the usual floating point version. In practice, 
the attack reveals the secret factorization as soon as r (the number of signa- 
tures) is large enough, and the total computation time is less than 5 minutes 
on a UltraSparc-I clocked at 167 MHz, when r is less than 70. It actually takes 
more time to generate the signatures along with the different parameters than 
to recover the factorization. 

The following table shows the practical number of RSA signatures which are 
necessary to make the attack successful, for different key sizes and choices of 
parameters. 
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Minimal number of signatures 




Case 1 


Case 2 


Case 3 


Case 4 


h 


10 


7 


17 


11 


m 


19 


22 


25 


29 


RSA-512 


53 


50 


56 


53 


RSA-768 


54 


52 


56 


54 


RSA-1024 


62 


60 


63 


62 



When r reaches these values, at least the 10 shortest vectors of the reduced 
basis are also orthogonal to Z\si. Generally, 5 of them are enough to reveal q—1. 

When r is larger, most of the vectors of the reduced basis are very short and 
have similar norms, and their dot product with Aaq is a non-zero multiple of 
g — 1. As previously, we only need a few of them to discover the factorization. 

6 Conclusion 

We presented a simple passive attack against the Beguin-Quisquater server-aided 
RSA protocol. It is based on the basic notion of an orthogonal lattice. This 
notion was introduced as a useful tool in a paper published last year, which 
cryptanalyzed a knapsack-like cryptosystem proposed by Qu and Vanstone. We 
applied this technique in a different manner, but the success of our attack relies 
on the main property of orthogonal lattices as well: given a low-dimensional 
lattice, one can easily find many short and linearly independent vectors in the 
corresponding orthogonal lattice. 

The attack has been implemented, and is devastating in practice, for all the 
choices of parameters suggested by Beguin and Quisquater. Once the card has 
produced about 50 signatures, the server can quickly recover the secret facto- 
rization of the RSA key, without storing much information. This shows that the 
Beguin-Quisquater server-aided RSA protocol is not secure, and stresses the im- 
portance of provable security as opposed to security against all known attacks. 
The existence of a server-aided RSA signature protocol which is both efficient 
(without requiring expensive precomputations) and provably secure against pas- 
sive and active attacks remains open. 
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Abstract. With equitable key escrow the control of society over the in- 
dividual and the control of the individual over society are shared fairly. 
In particular, the control is limited to specified time periods. We con- 
sider two applications: time controlled key escrow and time controlled 
auctions with closed bids. In the first the individual cannot be targeted 
outside the period authorized by the court. In the second the individual 
cannot withhold his closed bid beyond the bidding period. We propose 
two protocols, one for each application. We do not require the use of 
tamper-proof devices. 



Key Words: key escrow, auctions with closed bids, time stamps. 

1 Introduction 

Key escrow has been proposed as a mechanism to protect society from individu- 
als who use a communication system for criminal purposes [4,25, 10] (an excel- 
lent survey of key escrow systems is given by D.E. Denning and D.K. Branstad 
in [11]). However key escrow can also be used to target innocent individuals. This 
potential targeting is a major factor which contributes to the social unaccept- 
ability of key escrow. From the point of view of an individual, key escrow may 
restrict his/her privacy and give controlling power to society (Big Brother [8]), 
which may, in certain circumstances, abuse it. In a society oriented key escrow 
system this power must be equally shared between the individual and society 

* A part of this research has been supported by NSF Grant NCR-9508528. 
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(for an analysis of fair cryptosystems see [25,23]). Furthermore it must have a 
limited life span. Indeed a major objection to currently proposed key escrow 
schemes is that there is no effective time control. Once an order to recover a key 
by the escrow agents has been given, there is nothing to prevent the agents from 
abusing their power and decrypting all wire-tapped messages, far beyond the 
time specified by the Court order. Various scenarios can be envisaged in which 
a threat against a minority is indeed serious. While the Bellare-Goldwasser[3] 
scheme protects a majority against Big Brother, it does not protect a minority. 
For example, an extremist group aiming to take control of the government can 
wire-tap all communication of suspect dissidents, which would then be decrypted 
when the group took over control. 

It is essential that the control of the escrow agents be limited to specified 
time periods, beyond which it should not be possible for the agents to recover 
the “old” private keys of a targeted individual. For this purpose we have chosen 
in our first application of equitable key escrow, to update the keys at regular 
intervals, and to make it infeasible to compute old keys from the new key. The 
escrow agents must destroy all the shares of the old keys with each updating. 
We can allow for a small number of corrupted agents who keep their old shares, 
but these should not be sufficient to reconstruct the keys. 

Our second application of equitable key escrow is contract bidding. In this 
case it is the individual who may try to abuse society. To prevent a tender 
from being opened before the specified date, it is encrypted with an escrowed 
key. The bidder must have some control over the encryption otherwise one can 
envisage situations in which the escrow agents may collude with a corrupted 
receiving agent. This threat can be eliminated if the bidder pre-encrypts the bid 
with his/her own key. However the bidder may then withhold the key. There 
are several scenarios in which such a threat may be of concern. For example, if 
altered circumstances make the bid unprofitable, or loss making. In this case, 
it is “society” (the receiving office) which is threatened by the individual (the 
bidder) . The solution we propose is to force the bidder to use a weak encryption 
key (a nice discussion on weak encryption is given in [29]). This imposes a time 
limit which should make it possible for the agents to recover the bid after the 
tender is opened. Two keys are used: a key for the bidder and an escrowed key. 
The pair of these keys can be regarded as an enlarged escrow key, in which the 
share of the bidder is her/his key while the shares of the agents are their old 
shares. (In this way the bidder is included in all authorized sets.) 

Our goal in this paper is to design protocols which achieve equitable key 
escrow. The organization of this paper is as follows. In Section 2 we present our 
first protocol for a time controlled key escrow system and discuss its security. In 
Section 3 we present a protocol for time controlled auctions with closed bids. 



Notation and Backgronnd 

Let p be a prime and g £ Zp an element of large order. All operations in Zp 
are performed modulo p. For simplicity, and when there is no ambiguity, we 
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drop the operator “modp” . We also write x Gfl X to indicate that the element 
X is selected uniformly at random from the set X, independently of all other 
selections. 

The Diffie-Hellman [16] operator DH is defined by DH(g“,g^) = . The 

problem of finding DH(g^g^), given is believed to be hard, and is called 

the Diffie-Hellman problem. If g^,g^ and z G Zp are given, then the problem of 
deciding whether z = is called the Diffie-Hellman decision problem. If 

this problem is hard then so is the Diffie-Hellman problem. The squaring Diffie- 
Hellman problem [24] is the problem of finding DH(g% g^) given g^ . This problem 
is as hard as the Diffie-Hellman problem under some reasonable conditions [24, 
Theorem 2]. The problem of deciding whether z = DH(g“^, given z,g"^ is the 
squaring Diffie-Hellman decision problem. If this problem is hard then so are the 
Diffie-Hellman problem, the Diffie-Hellman decision problem and the squaring 
Diffie-Hellman problem. We will also consider the problem of finding elements 
with large order in Zp. This is related to Problem C19 in the Adleman-McCurley 
list of open problems in Number Theoretic Complexity [1], and is considered to 
be hard. 

2 Time controlled key escrow 

For simplicity we focus on a basic t'-out-of-f escrow system. We will discuss 
generalizations to other access structures later on. 

Our system uses a Discrete Logarithm setting with prime modulus p and 
g £ Zp an appropriate element of large order. Initially, at time t = 0, the private 
key of the receiver. Bob, is a ^p-i and the public key is yo = g“mod p. Bob 
shares his private key among i escrow agents EA^, i = 1,2, ... ,i. 

In our basic model each agent gets a share Si ^p-i {i = 1, 2, . . . , f — 1), 
and Si is such that si - S 2 ■ ■ ■ si = a mod (p— 1). The main feature of our system 
is that the private key of Bob and its shares are updated at regular intervals 
without the need for interaction. At time t, the private key of Bob is updated 
to a? mod {p — 1), the shares are updated to si^ mod {p — 1), and the public 

key is updated to yt = mod p. The agents EA^ compute the new shares 
by themselves, and must destroy the old shares. As a consequence, the escrow 
agents cannot enable the decryption of a ciphertext which was encrypted with 
an old key at a later date, even if forced. We shall prove that the problem of 
decrypting encryptions with earlier keys is related to two problems: the problem 
of finding elements of large order in Zp and the squaring Diffie-Hellman decision 
problem. Both problems are believed to be hard (cf. [1,24]). 

We first describe our basic protocol in more detail. Eor this purpose we 
combine the multiplicative threshold scheme of Boyd [7], the ElGamal thresh- 
old scheme of Desmedt-Erankel [14] and add time dependency using ideas from 
Blum-Blum-Shub [6]. Eor verification we adapt Pedersen scheme [27]. 
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Setting 

The parties involved: the sender Alice, the receiver Bob, a Court, the Law 
Enforcement Agency LEA, and the Escrow Agents EA^, i = 1, 2, . . . , t. 

The parameters: A Discrete Logarithm setting is used. Bob chooses a prime p 
such that p—\ has two large prime factors pi,P 2 , with pi = p^ = 3 (mod 4), so 
(— 1 I pi) = (—1 I P 2 ) = —1 (piP 2 is a Blum integer [6]), and an element g £ Zp 
whose order is p\P 2 - Bob gives p,g to all the agents EA^, i = 1,2, ... ,t, and to 
Alice. 

Bob has a long term public key which is known to all parties concerned. This key 
is used for authenticating (signing) Bob’s encryption keys and the parameters 
p,g, if required. 

Set-up 

Set time := 0. 

Bob chooses his private key a Z*_^ and finds t shares Si of it, i = 1, . . . ,t, 
by choosing Si Z*_^ for i = l,...,t — 1, and taking Si = a ■ (si ■■ ■ 
modulo p — 1. The public key of Bob is yo = 5 “ . Bob publishes this key. 

Then, 

1. Bob gives privately to each agent EA^, i = 1, 2, . . . , t, the share Si. 

2. Bob publishes := g“^ ,Z 2 := g''^^ , . . . , Zi := g‘"\ and each agent EA^ checks 
that these are correct, that is that Zi = g ‘"' , where Si is its share. If any check 
fails then Bob has cheated and is reported to the LEA. 

Bob publishes zi ,2 := 21 , 2.3 := . . . , 21 , 2 ....,^ := (= yo), 

and proves in zero-knowledge to the LEA that these are correctly con- 
structed. That is. Bob proves that 21 , 2 , = DH( 2 i, 2 ,...,fc-i , 2 fc), for k = 
2, ... ,t, by using an interactive zero-knowledge proof for the Diffie-Hellman 
problem - an example of such a proof is given in Appendix A. If any of the 
proofs fails, then Bob has cheated and is reported to the LEA. 

The protocol 

Updating 

At time = t 

Each agent EA^ updates his share by squaring it, i.e., the current share is 
si^ mod {p— 1), and then destroys the old share {si^ mod {p — 1)). 

Bob updates his private key to mod {p — 1) and publishes his public key 

y^ := modp. If necessary Bob proves to the LEA that this is correct by 
using an interactive zero-knowledge proof for the Diffie-Hellman problem (for 
example, the interactive proof given in Appendix A). That is. Bob proves that 
yt = DH(pt_i,yt_i). 

Getting an escrowed key 

1. Alice asks Bob for a new encryption key. 
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2. Bob sends Alice his public key which is authenticated with his long term 
key, 

3. If Bob’s signature is valid then Alice sends Bob the encryption ElG(m) = 
{g^,myt^), r Z*_^, of a message m £ Z* with key yt- 

4. If the Court has issued an order to recover the message, then the LEA 
will wire-tap the communication and send g^ to agent EAi. The agents 
EAi, EA2, . . . , EA^ then compute y*’’ sequentially as follows: for i < i, each 

EAi on receiving g ■‘■■‘3=1 ^ computes <7 ^ ■= (g ^ , which it 

sends to EAi_|_i . Agent EA^ then computes (g tli=i 1 , which it sends to 

the LEA. Since this corresponds to yt’’, the LEA can decrypt the ciphertext. 



Security 

Theorem 1. (Irreversible time) If the squaring Dijfie- Heilman deeision prob- 
lem is hard and if finding elements of large order in Zp is hard, then deerypting 
old eiphertext with new shares of the eserow agents is hard. 

Proof. (Sketeh) Suppose that there is a polynomial time algorithm A which 
on input p, g, zi, Z2, . . . , zi, zi^2, -21,2,3, • • • , -21,2,...,^, the shares Sj , , . . . ,s“j , 

the old shares of {£ — 1) corrupted shareholders, Bob’s long term public key, 
the certificates (p,g,yj,sign^^y,(p,g,yj)), j = l,2 ,...,t, and an old ciphertext 
(wi, W2), with wi = g^ , r G Z*_^, W2 = myf_.^, m £ Z*, will output the message 

— u 

m. Then A can be used to compute (= W2/m). We now will use A to 

get an element in Zp of large order. Eirst we prepare an input for A. 

Note that 0 < u < t (since public key yo is never used to encrypt). As- 
sume that the dishonest escrow agents are i\, i2, ..., ie-i and let ii be the 
honest escrow agent. Eind an appropriate long term secret key for Bob. Choose 
si,S2, . . . ,Si Zp_i. Compute bo = si ■ ■ ■ Si mod p — 1, zi \= g‘‘'^ , Z2 '.= g ‘‘^ , 
..., zi-.= g~^‘, zi,2 := ..., 21,2,...,^ := /'-"C and yo := 5'’“, m ■= 

2t — u—l 

yt-u-i ■■= g’’° 

Take b £r Z*_i and compute sbj := sf^ , ,s'i^ •“ > • • • > ■— 

^p-i ■ Compute s := s'i^ ■ s'i^ ■ ■ ■ s' i ,_., , s' i, := b ■ (s)“^ , and the public 

keys yt-u = 5^ yt-u-\-i = 5^^, ■ ■ ■ , yt = g^^ ■ Observe that even though it is 
highly unlikely that the public key yt-u is properly constructed (that is, it is 
highly unlikely that yt-u = ^^{yt-u-i,yt-u-i), it is hard for A to recognize 

this, if the squaring Diffie-Hellman decision problem is hard. 

__ __ _ — 

Give as input io A: p, g, z\, Z2, . . . , zi, zi^2, • • • , -21,2,...,^, the “shares” s'l , . . . , 
— — — 

s'l , the “old shares” s'i ^ , . . . , , Bob’s long term public key, the certificates 

(p,g,yj,sign^^y,,(p,g,yj)), j = l,2 ,...,t, and an “old” ciphertext (w\,W2) en- 
crypted at time t — u, with wi = g”, f £r Z*_^, and W2 Gfl Z*. Algorithm 
A will output a message m such that W2lfh = where d is a 2“-th root of 
6^ which is a quadratic residue in Zp^p.^. However b was chosen at random in 
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Z*_i, so that with probability 3/4 we get that 6 mod pip 2 is not a residue in 
Zpip 2 - (Indeed o?\ for t > 1, has 4 square roots in of which only one is 

a quadratic residue, because of our restrictions on the primes pi,P 2 - It follows 
that there is only one primitive 2“-th root of in Zp^p^, 0 < u <t, which is 
a quadratic residue, in Zp^p^.) Then with probability one half, b — d is either a 
multiple of p\ or a multiple of p 2 - This means that has order 

Pi or p 2 - Consequently A can find an element in Zp of large order. 

(Note that, since we work modulo p, the view of the communication between 
the escrow agents when co-decrypting can also be included in the simulation, 
as discussed in the final paper. Moreover, if this communication is encrypted 
(to prevent an outsider to learn the ciphertext), the simulation of this part is 
straightforward.) □ 

Theorem 2. (Privacy) A wire-tapper may try to decipher the ciphertext. This 
is as hard as the Diffie-Hellman problem. 

Proof. (Sketch) We show this by using the approach in [13]. Suppose that B 
is a polynomial time algorithm which on input: p,g,zi,Z 2 ,. . . ,Zi, zi^2, - 21 , 2 , 3 , 
•••, - 21 , 2 ,...,^, the certificates (p,g,yj,sign^^y^i(p,g,yj)), j = l,2,...,t, and the 
ciphertext (wi,W 2 ), wi = g^,W 2 = myt^, will output m. We now prove that B 
can be used to solve the Diffie-Hellman problem. Let p,g,yt,w\ be an instance 
of the the Diffie-Hellman problem. Construct Ti, I 2 , . . . , 21 , 2 , ,•••, 21 , 2 ,...^, 

yo,yi, . . . ,yt G Z*, as in the previous case. Give this as input to B together 
with (wi,W 2 ), to get a “message” m such that W 2 /rh = DH(yt,tDi) (= y(). 

The rest can all be simulated because we have used zero-knowledge proofs. □ 



2.1 Generalizations 

Generalizing time controlled l-out-of-l key escrow systems to I'-out-of-l systems, 
is straightforward when using more complex secret sharing schemes over Z*_ j (*) . 
The subset of escrow agents involved in the decryption must be known in ad- 
vance. Secret sharing schemes that could be used for this purpose can be found 
in [15,12,2,5], when using techniques such as those described in [18,13]. Ro- 
bustness can be achieved by using, for example [21,20]. 

Other properties such as proactive secret sharing can also be achieved us- 
ing [22,19,28]. 

3 Time controlled auctions with closed bids 

We first consider a basic (additive) t'-out-of-f escrow system, using a simple 
setting. Generalizations will be discussed later. 

Our system uses a Discrete Logarithm setting with composite modulus n = 
P1P2, where pi,P2 are appropriate large primes. The bidder, Alice, chooses n and 
5 i , 52 G Zn such that gi has large order whereas <72 has a rather small prime order 
q. Alice has two public keys for encryption: yi = g\^ mod n, r /2 = g'^ mod n. 
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where ai ^2 Gfl Zg. The private key ai is shared among £ escrow 

agents EA^, i = 1 , 2 , ... ,i. The other is not shared. For this system the public 
key r/2 is weak and must be used only once. This key must be such that it can 
be recovered by an exhaustive search of the key space, but the time taken for 
this search should not be too short. ^ 

Alice “double” encrypts her contract bid m by using the keys yi,y2- Let 
ElG^(m) be the encryption. Alice sends this to the receiving agent Bob. At 
completion she will reveal both secret keys a\,a2, from which Bob will get the 
tendered bid m. If Alice refuses to reveal these keys, then Bob informs the escrow 
agents who will enable a first decryption. This will make it possible for Bob to 
get an encryption ElG(m) of m with private key a^. Bob then initiates a pro- 
cedure to recover m, by exhaustively breaking this encryption. Bob can achieve 
this because the second key is relatively weak. A similar argument applies if a 
Court order is issued to the escrow agents to enable the decryption of ElG^(m). 
The security issues of this protocol will be discussed in more detail later. We 
first describe the protocol more formally. For this purpose we use the additive 
threshold scheme of Boyd and Frankel [7,17], and/or the ElGamal threshold 
scheme of Desmedt-Frankel [14] and use the concept of weak encryption (see, 
e.g., [29]). 

Setting 

The parties involved: the bidder Alice, the receiving officer Bob, a Court, the 
Law Enforcement Agency LEA, and the Escrow Agents EA^, i = 1 , 2 , . . . , 1 . 

The parameters: Both Alice and Bob have long term public keys which are 
known to each other. These keys are used for authentication (signing). 

A Discrete Logarithm setting is used with a composite modulus n. Alice chooses 
n = piP2, a product of two large primes pi,P2, with pi —1 = 2 qqi, P2 — 1 = ‘2qq2, 
<?i5<?2 primes, and q a rather small prime (say 140 bits). 

Alice chooses g\ and <72 G Z^ such that ord(g2 modpi) = ord(g2 mod 

P2) = q. Here ord(<;2 mod pi) is the order of <72 in and ord(<;2 mod P2) is the 
order of <72 in Zp.^. Consequently <72 has order g in 

Set-up 

Alice chooses ai Z^(„pa2 &r . The public key of Alice is {n,q, gi, g2,yi,y2), 
where y\ := mod n, r/2 := 52“^ mod n. 

Alice finds i shares of ai, by choosing exponents Si £r for i = 1, 2 , . . . , t— 1, 

and taking = ai — (si + S2 + . . . + s^-i) mod</»(n). 

1. Alice gives privately to each agent EA^, i = 1 , 2 , . . . ,i, the share Si. 

2 . Alice publishes := g'i'^,Z2 ■= g{^,...,zi := gl' . Each agent EA^ checks 
that Zi = g{' and reports failure to the LEA. The LEA checks that yi = 
zi- Z2 - ■ ■ zi.ll any of the checks of the EA^’s fails or if the LEA’s check fails 

^ Since an exhaustive search is parallelizable, some kind of inherently sequential scheme 
may be used, such as the time-lock puzzles proposed in [29]. Our protocol can easily 
be adapted to allow for such schemes. 
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then Alice has cheated, the tender is rejected, and appropriate actions are 
taken. 

Sending an encrypted contract bid 

1 . Alice sends Bob the pair of her public keys authenticated with her long term 
key, 

{n,q,gi,g2,yi,y2, sign^uce (ffi , 52 , n , g, t/i , t/2 ) ) , 

and the encrypted bid ElG^(m) = {g\'^ , g"^^ ,my'['^y2^), where m G Z* is the 
bid and ri,r2 Gfl Z^. 

2. If the parameters are in the appropriate fields, with q a small prime, if 
the order of g^ and y^ are both q, and if Alice’s public keys are authen- 
ticated properly, then Bob accepts the tender and sends Alice a receipt 
signBob ( Alice, ElG^(m)). 

Opening a tender 

When the tender is due to be opened, Alice sends Bob the private keys ai,a2- 
Bob checks these for correctness. If correct, ElG^(m) is decrypted to get the bid 
m, which is validated. 

If Alice refuses to send her keys, the LEA is informed and initiates a procedure 
to recover m. 

The Court recovers the bid 

If the Court has issued an order to recover the bid, the LEA will wire-tap the 
communication and send g’"' to the escrow agents who will compute . Erom 
this the LEA can get ElG(m) = ^my^""^)- The key for this ciphertext is 

weak, so the LEA can recover m by brute force. However, q has to be sufficiently 
large to prevent a conspiracy, as explained further on. 

Security 

The security of this system relies on the difficulty of factoring a number n = piP2, 
Pi,P2 primes, when a particular number g2 G is given, with a rather small 
prime order q. It is important that both g2 modpi 7 ^ 1 and <72 mod p2 7 ^ 1- 
Otherwise, if say <72 mod pi = 1, then pi is a factor of <72 — 1 and it becomes 
easy to factor n by taking the gcd(n,g2 — !)• Observe that for g2 = n — 1 we 
have q = 2 , but this trivial case is too small to be of any use for us. 

Fair auction bidding 

Alice may refuse to open her bid, on completion. Bob will inform the LEA and 
the Court will authorize the escrow agents to decrypt the ciphertext. The escrow 
agents will compute y{^ from which the LEA will get ElG(m) = (<72’^’^, my 2’^’^)- 
The key for this ciphertext is weak, so the LEA can initiate a procedure to 
recover m by brute force. (Note that q has to be sufficiently large, as we now 
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explain.) 

Conspiracy 

The agents may be corrupted by the bidding officer Bob. They will recover 
ElG(m) = {§ 2 '"^ but if the key y 2 is not too weak they will not be able 

to recover the message in time. For this reason q cannot be too small. 

Theorem 3. (Privacy) A wire-tapper may try to decipher the bid m. This is 
as hard as breaking the Diffie-Hellman problem. 

Proof. (Sketch) For simplicity assume that the dishonest escrow agents are 
numbered from 1 to f — 1 (this can easily be generalized). Suppose that A is 
a polynomial time algorithm which on input: n,q, g\, g 2 ,y\,y 2 , authenticated 
with Alice’s long term key, zi, Z 2 , . . . , Zi, and (gl^ , glf^ ,myi^^y 2 ^'^), will output 
m. Let n,gi,yi,gi^^ be an instance of the Diffie-Hellman problem similar as 
in [14, 13]. Take si, . . . ,s^-i &r Z^, and s = si + . . . + s^_i. Then let = g‘"^ , 
. . . , Zi-i = and zi = yigf‘^. Find an appropriate long term key for Alice. 
Finally take f 2 €r Zg and compute g 2 ^'^ and y 2 ^'^- 

Give as input to A: n,q, g\, g 2 ,yi,y 2 , authenticated with Alice’s public key, 
zi,...,Zi, and (<;[', <72^ , w), where w £r Algorithm A will output m, such 
that w/fh = from which we get DH(yi,gi’’') = □ 

Generalizations 

Similar generalizations to those in Section 2.1 apply. (Although (j>{n) is not pub- 
lic, techniques similar to those in [18, 13] will address this problem.) 
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A A zero-knowledge proof for the DifRe-Hellman decision 
problem 

The zero-knowledge proof for the Diffie-Hellman decision problem in [9] is not 
adequate for our purpose, since it designed for the case when the group of the 
exponents has prime order. In our case the group of exponents has composite 
order. The following protocol will serve our purpose. 

Input: A prime p, g € Zp of large order, a = g^^modp, (i = g^modp, 

7 = g“^mod p. 



Repeat independently t = logp times the following subroutine: 

1. The Prover selects exponents x,y Gfl Zp_i and sends to the Verifier: = 

g^ mod p, Ky = gy mod p, Kxy = g^^ mod p, Kay = 5“^ mod p, and Khx = 
g^^ mod p. 

2. The Verifier sends the Prover a query bit e {0, 1}. 

3. If e = 0 the Prover sends x,y to the Verifier, and the Verifier checks that: 
Kx = g^ mod p, Ky = g^ mod p, Kxy = g^^ mod p, Kay = od' mod p, and 
Kbx = /?“ mod p. 

If e = 1 the Prover sends a' = a + x mod {p — 1), b' = b + y mod {p — 1) to 
the Verifier who checks that: = a ■ Kx (modp), g'’ = (3 ■ Ky (modp), and 

=J-Kay- Khx ■ Kxy (modp). 

If any of the checks fails, the Verifier halts and rejects the proof. 
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The Verifier accepts the proof of the Prover if all t rounds have been completed 
successfully. 

Let L = {(p, ct, /?, 7) \ p prime, a = <;“mod p, (i = g^mod p, 7 = g“^mod p}. 
Then, 

Theorem 4. The protocol above is a perfect zero-knowledge proof of membership 
in L. 

Proof. (Sketch) 

Completeness: Obvious. 

Soundness: If the Prover can answer the queries e = 0, 1 then there exist a, b, x, y 
such that a' = a X mod (p — 1 ), b' = b y mod (p — 1), with Kay = ofl mod p, 
Khx = /?“ mod p, Kxy = mod p, and 7 = ^ • Kfy ■ k))^ ■ Kfy = <7“^ (modp). 

Zero-knowledge: Let ct, / 3 , 7 be given. Pick a', 6' Gr Zp_i, andlet Ko, =<;“/ctmodp, 
^2/ = 5 ^ IP modp. Then solve ct^ = 7 • i^-ay (modp), / 3 “ = 7 • i^-bx (modp), 
^ = j- Kay ■ Kbx ‘Kxy (modp), for the unknowns Kay, Kbx, Kxy, respectively. □ 
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Abstract. In visual cryptography the additive property of light is used. 
Also the shares are random and therefore suspect to a censor. In this 
paper we present two new cryptographic schemes which use music and 
the wave properties of light. Both schemes are also secret sharing schemes 
in which shares are music or images and are not suspect to a human 
censor. Our scheme guarantees perfect privacy as well as high quality. To 
decrypt the message, one just plays two shares on a stereo system. There 
are two decryption methods which are either based on the interference 
property of sound or based on the stereo perception of the human hearing 
system. In optical cryptography, we use pictures as covers and the wave 
interference property of light. The privacy is perfect and the modified 
images are non-suspicious. The Mach-Zehnder interferometer is used as 
the decryption machine. 



1 Introduction 

Traditional hiding and steganography methods, e.g., m have the disadvantage 
that once their method is known, anyone can find the embedded message. 

Visual cryptography jS| is secure in this prospect. Visual cryptography is a 
perfectly secure encryption scheme in which both the ciphertext and the key are 
pixels, with 1 bit depth, printed on transparencies. The decryption is done by 
stacking the key transparency on top of the ciphertext transparency and does 
not require any computer. But both ciphertext and key consist of random pixels 
and hence are suspect to censors. 

A reason for not using computers is that in some countries high technology 
equipment is suspect. Also, computers may not be trustful. Indeed, Goldberg 
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and Wagner just found that at least 10 digits out of 64 bits keys in GSM system 
were actually zeroes [3- Not only is it dangerous to trust software, trusting 
hardware is also not recommended. Today’s Intel Pentium Pro microprocessor 
contains more than 5.5 million transistors and therefore it is easy to install a 
Trojan horse. 

More recently cerebral cryptography embeds a message in images and 
uses human brains to decrypt the ciphertext. It is also a perfect secret sharing 
schemes. It uses high quality real life images as cover images and generates two 
shares which maintain high quality. But it requires the cover image to have a 
large high frequency component, i.e., enough variation. Hence, it only allows 
very limited bandwidth. Also, decryption in cerebral cryptography is not so 
easy as the authors in 0 seem to claim. Some people have problems with 3-D 
perception. 

In this paper we first present audio cryptography which uses music to embed 
messages. We base our scheme on the inference property of sound and phase 
perception of the human hearing system. Our scheme has similar features to 
that of cerebral cryptography. The privacy is perfect and a human censor is not 
able to detect that a single share is suspect. So, playing a single channel of the 
music, sounds as normal music. By playing two channels’ sounds at the same 
time we can listen to the secret, i.e. the embedded message. 

We then present our idea of optical cryptography which is based on the in- 
terference property of light waves and which uses images to hide information. 
This approach is completely different from the one used to obtain visual cryp- 
tography [^. It achieves the same goal on privacy and no computer is necessary 
to do the decryption. As in cerebral cryptography 0, the shares are not su- 
spicious. The privacy of our scheme is perfect and the stego-images (i.e., the 
modified images) are of high quality. Using a Mach-Zehnder interferometer 0 
on two shares, we can see the embedded image. The scheme has the advantage 
of providing larger bandwidth over cerebral cryptography. 

The organization of the paper is as follows. We first explain a model in 
Section El In Section 0 we discuss audio cryptography. In Section 0 we present 
the basic idea of optical cryptography. We conclude in Section 0 



2 Model 



Before we present our schemes we introduce the model on which our cryptosy- 
stems have been built. 

There are two agents (or in general n) that transport some secret message 
from one country to another country. Each agent carries one (or in general m) 
pictures/music, in which the secret message is embedded. They can not use 
computers. 

There are human censors at each custom office who check each passenger’s 
baggage. They cannot use a computer, either. We allow for two types of censors. 
Some that only censor suspicious pictures/music (then two pictures/music are 
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sufficient). The other type of censor will randomly destroy pictures/music (then 
we need n agents). 

There is also some counterintelligence who may intercept one suspect pic- 
ture/music. They have unrestricted computer power, but we assume they will 
never obtain two shares. 

Our goal is that at least two agents can enter the other country successfully 
and finally meet each other. They put their shares together and they can decrypt 
the message without using any computer. 

Our model has the following security properties: 

— Unconditional privacy, i.e., the counterintelligence has infinite computer po- 
wer. 

— Censors can only use human computation. 

Note: modern cryptography has three levels of computation powers, i.e., 

— infinite computer power 

— quantum computer power 

— polynomial time (Turing machine) computer power. 

We have extended this to include human computation power. 

In this paper, we use “embedded message” to refer to the plaintext, “cover” 
to represent the original image or music which is used to encrypt the plaintext 
and “stego-” to refer to the modified image or music which is transported by 
agents. 

3 Audio Cryptography 

One of our approaches to hide information is based on the interference property 
of sound waves. The other is based on the fact that the human hearing system is 
capable of observing phase differences. The two methods only differ in the way 
to decrypt the ciphertext. In Section 1,3. 1 1 we will first give a simple explanation 
of both concepts. In Section 13.21 we will construct our basic scheme using a 
harmonic sound and then we will extend it to regular music. In Section l.3..3l we 
demonstrate our results. 



3.1 Two Concepts 

Interference of Sound Sound is a pressure wave traveling through air, water or 
any other media. Interference occurs when two sound waves encounter each other 
while traveling. A sound wave is a moving series of sompressions (high pressure) 
and rarefactions (low pressure). If the high-pressure part of one wave lines up 
with the low-pressure of another wave, the two waves interfere destructively and 
there is no more pressure fluctuation (no more sound). On the other hand, if the 
high-pressure part of one wave meets the high-pressure part of another wave, it 
results in an intensified high-pressure. Note that the matching must occur in both 
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space and time P|. As shown in Figure^, if two simple harmonic sound waves 
are of the same frequency and amplitude, and if they are superimposed upon 
one another out of phase (with a 180 difference in phase), then they will destroy 
each other completely. While in Figure nb, if they are superimposed upon one 
another with 0 difference in phase, the resulting wave has an amplitude which 
is twice of the original one. 





a. Destructive interference. 




b. Constructive interference. 
Fig. 1. Interference illustration. 



This property has been applied to active noise control m where active at- 
tenuation of noise is obtained by using artificially generated acoustic waves mi- 
xed with the unwanted sound so that when the waves are in anti-phase, then 
destructive interference results. 

We observe that the interference principle acts like a not- exclusive- or ope- 
ration, which gives 1 (corresponding to an amplitude of 2) only when the two 
operands are of equal value. 



Stereo Conception We can localize the direction from where the sound origi- 
nate. As shown in Figure|2 the sound Source 1 has the same distance from both 
ears and the Source 2 is on the right side of the person in the figure. The waves 
from Source 1 arrive at the two ears with the same amplitudes and same phases. 
But the waves from Source 2 travel a little longer to get to the left ear compared 
to the right ear. This means that the waves striking two ears are of different 
amplitudes and most likely of different phase. As a result, the human hearing 
system can observe whether the sound comes from Source 1 or from Source 2. 

The aspect of observing the phase differences is used in one of our decryption 
methods. 



396 



Y. Desmedt, S. Hou, and J.J. Quisquater 




Fig. 2. Illustration of observing sound sources. 



3.2 Schemes 

Our goal is to use shares of the embedded message that are high quality music. 
We therefore start from some high quality music as the cover. We then want to 
produce two piece of stego- music of high quality, such that if one plays these, 
one obtains the embedded message. For convenience, we will refer to this scheme 
as a 2-out-of-2 secret sharing scheme. 

The basic idea of audio cryptography is as follows. One generates the share 
Si based on random coin flips b and the second share S 2 based on b(B S, where 
S is the secret bit we want to hide and © is the exclusive-or. It is clear from 
the properties of the one-time pad PEI that such schemes guarantee perfect 
secrecy. 

In the following, we first use harmonic sound as the embedded message. We 
then generalize it by using music to obtain our anti-censor goal. 



Harmonic Scheme Our basic scheme using harmonic sound is presented first. 

The setting 

S: a plaintext message which is a binary string. 

L: the length of the embedded message which represents how many bits are in 

S. 

T : a parameter which represents how many seconds of sound are used per secret 
bit. So, we need a total oiTxL seconds of sound in order to encrypt a secret 
message of L bits. 

B: a cover sound which is a single frequency signal lasting T x L seconds. 

Procedure: 

— Generate the first share si as follows: Initialize si to B. For every T seconds 
data from si, flip a coin b. If b is 1, multiply the corresponding T second data 
with —1, implying a 180 phase change. Otherwise leave them unchanged. So, 
one has randomly chosen to flip the T seconds data to its opposite phase or 
not. 
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— Generate the second share S 2 - Initialize S 2 to i3. For every T seconds data 
from S 2 , compute h' —b(B S. If b' is I, multiply the corresponding T second 
data with —1, implying a 180 phase change. Otherwise leave them unchan- 
ged. In other words, if the secret bit is 1 then the corresponding T seconds 
sound from S 2 has the same phase as that from si. If the secret bit is 0 then 
the corresponding T seconds sound from S 2 has the opposite phase as that 
from si. 



Two Decryption Methods There are basically two ways that can be used to 
decrypt the ciphertext in order to get the embedded message. They are either 
based on the interference property of waves or based on the stereo conception 
property of the human hearing system. 

In the first method, we put two speakers very close and face to face. Then, we 
send share 1, si, to one speaker and send share 2, S 2 , to the other speaker. We 
can clearly notice the effect of volume changing, in which louder represents secret 
bit 1 and more silent represents secret bit 0. The cancellation is not complete 
due to the incomplete destructive interference, the reflection from the wall, etc. 

In the second method, we move one speaker to our left side and the other 
speaker to our right side. Then, as in Method 1 we play two shares from two 
speakers respectively. We can observe that the sound sources move from sides 
to center and from center to sides, which is due to the phase differences in two 
channels. If both signals from two channels are of the same phase, which encodes 
secret bit 1, we observe only one source which is from the center. If two signals 
are out of phase, which corresponds to secret bit 0, we observe two sources, one 
from left and one from right. 

In a variant of the second method, we use a set of headphones instead of 
two speakers. We play one share in each ear, we obtain the same effect as in 
Method 2 due to the phase conception property. 



Testing on Harmonic Sound We have tested our scheme on three harmonic 
sounds which have frequencies 300Hz, 500Hz and lOOOHz respectively. All the 
decryption methods worked pretty well. But, each share is suspicious. We heard 
some clicks at each phase changing point as shown in Figure0 This is because the 
modified signal is not of a single frequency any more and the added frequencies 
make the click very recognizable in the pure tone environment. 



Music Scheme We extend our basic scheme of using a harmonic sound to 
a more general one of using music. We modify the algorithm described in the 
harmonic method only by using a piece of music instead of a harmonic sound as 
the sound B uses to hide the share. Nothing else need to be changed. 

The problem which exists with the harmonic method does not exist in our 
general scheme. We could hardly hear such clicks. When playing only one stego- 
sound, either share 1 or share 2, we get very good quality music which sounds 
just as the original one. It is hard to tell any difference. When playing both, we 
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Fig. 3. Illustration of how clicks are generated in a harmonic method. 



can observe the volume changing if using the decryption Method 1 and we can 
observe the switching of the sound sources if using the decryption Method 2 or 
its variant. All methods provide correct decryption. 

Doing some spectrum analysis, we can see how close the two curves in Figure E] 
are, one for the original music and one for the signal after being randomly phase 
changed. The music is rich in frequencies and therefore the added noise, which 
is also distributed flatly among a wide range of frequencies, has little impact on 
human ears. 

If the volume of the music goes up and down dramatically and frequently 
and the cancellation is not complete by using two speakers, it may be difficult 
to make the right decryption using Method 1. But, in such circumstances, one 
can always use the methods which are based on the phase conception property, 
i.e.. Method 2 and in particular its variant. 



2-out-of-n Schemes To generalize our previous 2-out-of-2 to 2-out-of-n, we 
use the secret sharing scheme discussed in 0 and use [log 2 (n)] different pieces 
of music as covers. 

We remind the reader that the 2-out-of-n secret sharing scheme in is 
based on |'log 2 (n)] many 2-out-of-2 sharing schemes executed independently. So 
if k is the secret key, one has k = Tq 0 r^, where 1 < z < [log 2 (n)]. When 
numbering the participants from 0 to n — 1, participant j receives share Tq if the 
zth bit of the binary representation of the integer j is 0, else r\. 

So, in our context, one uses |"log 2 (n)] pieces of music as covers. For practical 
purposes they are different. For each of the |"log 2 (n)] pieces of music one creates 
shares Rq and R\ as in our previous 2-out-of-2 audio cryptosystem. A participant 
j receives the audio channel Rq when the zth bit of the binary representation of 
j is 0, else receives R\. 
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3.3 Demonstration 

We present some sound sample showing the original music signal, two shares and 
corresponding secret bit in Figure 0 



T=5 seconds 




0 



I 



Fig. 5. Audio cryptography illustration. 



We have done tests on pop music and also on classical music. These tests 
can be found at http://www.cs.uwm.edu/~desmedt/audio/ Both results have 
shown that each share (stego-sound) is of the same quality as the cover music 
and the decryption is correct. 



4 Optical Cryptography 

Light is also a kind of wave and therefore has the interference property. If two 
beams of light from the same source meet out of phase, they will destroy each 
other and this results in total darkness. If they meet with the same phase, then 
they produce an intensified light. 

Our idea of optical cryptography is as follows. Our plaintext is a 1 bit /pixel 
digital image (e.g., a blueprint). We choose a high quality n bits per pixel image 
which has a larger size than that of our plaintext. We pad the plaintext to make 
it the same size of the cover image. We generate the share 1 by randomly flipping 
the least mth significant bit of each pixel in the cover image. We copy share 1 to 
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share 2 as its initial value. Then if in the plaintext a pixel has the value 1 then 
we flip the least mth signiflcant bit of this corresponding pixel in share 2. So, 
now the mth signiflcant bits in the generated shares are uniformly random bits. 
If m is small enough then we maintain the high quality. (When n is 8, m can 
be 4 and the alternation is unnoticeable to a human as shown in Figure ini and 
Figure | 7 |) The two shares only differ in the least mth signiflcant bit. Denote the 
least mth signiflcant bit from share 1, share 2 and the plaintext as si, S 2 and s 
respectively. Then, they are clearly related by S 2 = si © s which is equivalent to 

S = Si © S2. 




Fig. 6. Share 1 for optical cryptography scheme with n =8 bits/pixel and m =4th least 
significant bit. 



Now we can use a machine called Mach-Zehnder interferometer jS| to recon- 
struct the plaintext. As shown in Figure 0 the laser beam passes some lenses 
and becomes a wide parallel beam. Then, it is split into two beams, beam 1 and 
beam 2, which take different paths. When beam 1 passes share 1, its amplitude is 
changed by the corresponding pixel values in share 1. The beam 2 passes share 2 
and carries similar information about share 2. When Anally the two beams meet 
out of phase, the result is the plaintext. 
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Fig. 7. Share 2 for optical cryptography scheme with n =8 bits/pixel and m =4th least 
signihcant bit. 




Fig. 8. Illustration of the decryption for optical cryptosystems. 
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Optical cryptography allows for high bandwidth encryption while still main- 
taining our covert property of the shares. The high bandwidth results from using 
the modification of each pixel. 

This 2-out-of-2 perfect threshold scheme can easily be extended to a 2-out-of- 
n perfect threshold scheme as for audio cryptography. We use the secret sharing 
scheme discussed in ^ and use log 2 (n) different images as cover images. 

We will report about the testing results of optical cryptography in the final 
paper. 

5 Conclusions and Open Problems 

We have demonstrated that audio cryptography uses high quality music sound as 
shares and provides perfect privacy. Decryption is easy by playing both shares at 
the same time. We have discussed two decryption methods. For the decryption, 
we only need a stereo player and a stereo headphone (or two speakers) . 

We also presented optical cryptography which is different from cerebral cryp- 
tography. It has all the aspects of visual cryptography and cerebral cryptography. 
Only a Mach-Zehnder interferometer, a laser beam and some lenses are needed 
for decryption. 

Both schemes can be considered as 2-out-of-2 threshold secret sharing sche- 
mes. We have shown how to generalize them to 2-out-of-n secret sharing schemes 
by using different cover pictures or sounds. It is not clear how to generalize them 
to more general t-out-of-n schemes. 

Audio cryptography as well as optical cryptography do not need a digital 
computer to decrypt the ciphertext, however they do require one to encrypt the 
plaintext. This introduces two open questions: 

— Can a cryptographic scheme be developed that does not need a digital com- 
puter or equivalent electronic hardware to encrypt plaintext and hide the 
share as in our schemes, and 

— Can a scheme be developed that does not rely on digital computers (or 
electronic equipment) for encryption as well as for decryption. 
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Abstract. The problem of unconditionally secure key agreement, in 
particular privacy amplification, by communication over an insecure and 
not even authentic channel, is investigated. The previous definitions of 
such protocols were weak in the sense that it was only required that after 
the communication not both parties falsely believe that the key agree- 
ment was successful. In such a protocol however it is possible that Eve 
deceives one of the legitimate partners, i.e., makes him accept the out- 
come of the protocol although no secret key has been generated. In this 
paper we introduce the notion of strong protocols which protect each of 
the parties simultaneously and, in contrast to previous pessimism, it is 
shown that such protocols exist. For the important special case of pri- 
vacy amplification, a strong protocol is presented that is based on a new, 
interactive way of message authentication with an only partially secret 
key. The use of feedback in such authentication allows to reduce the size 
of the authenticator, hence of the additional information about the key 
leaked to the adversary, without increasing the success probability of an 
active attack. Finally, it is shown that in the scenario where the par- 
ties and the adversary have access to repeated realizations of a random 
experiment, previously derived criteria for the possibility of secret-key 
agreement against active opponents hold for the new, strong definition 
of robustness against active attacks rather than for the earlier definition. 

Keywords. Secret-key agreement, privacy amplification, authentication, 
unconditional secrecy, information theory. 



1 Introduction 

1.1 Provably Secure Key Agreement 

The security of presently used cryptosystems, for instance of all public-key cryp- 
tographic protocols, is based on unproven assumptions on the hardness of certain 
computational problems such as the discrete logarithm problem or the integer 
factoring problem. The fact that all these schemes face the risk of being broken 
by progress in the theory of efficient algorithms motivates the search for systems 
whose security can be rigorously proved. In particular, protocols for the genera- 
tion of a provably secure key have attracted much attention in the past few years. 
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In [5] for instance, a general model for secret-key agreement by public communi- 
cation over an authentic channel was described. Here, two parties Alice and Bob 
who want to generate a secret key have access to random variables X and Y, 
respectively, whereas the adversary Eve knows a random variable Z. The three 
random variables X, Y, and Z are distributed according to some distribution 
PxYZ- 

Generally, a protocol for secret-key agreement in this scenario is often de- 
scribed as consisting of three phases. In the first phase, called advantage distil- 
lation, Alice and Bob use their advantage over Eve offered by the authenticity of 
the public channel, to generate an advantage over Eve in terms of their knowl- 
edge about each other’s information. During the second phase, information rec- 
onciliation, Alice and Bob agree on a mutual string S by using error-correction 
techniques, and in the third phase, privacy amplification, the partial secret S is 
transformed into a shorter, highly secret string S'. Bennett et. al. [1] have shown 
that the length of S' can be nearly H 2 {S\Z = z), the Renyi entropy of S when 
given Eve’s complete knowledge Z = z about S. 

Privacy amplification, which was first introduced by Bennett ct. al. [2], can 
alternatively be seen as a special case of secret-key agreement from common 
information, namely the case where Alice and Bob have identical information, 
i.e., where Pxyz has the property that Prob[X = Y] = 1. Another important 
special class of distributions Pxyz in the secret-key agreement scenario is where 
X, Y, and Z consist of many independent realizations of the same random 
experiment [5]. 



1.2 Strong Security Against Active Opponents 

Secret-key agreement has also been studied when dropping the condition that 
the channel connecting Alice and Bob is authentic [4], [6]. However, it is clear that 
such key agreement can only be possible if Alice and Bob already have some kind 
of advantage over Eve initially, and if this advantage implies that Eve cannot 
successfully impersonate Bob towards Alice, or vice versa. The conditions on a 
protocol for such key agreement have been defined as follows. After the phase of 
insecure communication, both Alice and Bob either accept or reject the outcome 
and compute a string when accepting. It was demanded that if the adversary 
is passive only, then both parties accept and agree on a mutual highly secure 
string. If the adversary is active on the other hand, then with high probability 
at least one of the parties must reject (or the secret-key agreement must have 
been successful). 

Unfortunately, this definition is not completely satisfactory. Since it is only 
required that one of the parties rejects in case of an active attack, it is not 
excluded that the other party is deceived by Eve, i.e., accepts although secret- 
key agreement was not successful. On the other hand, it is impossible to achieve 
that always both Alice and Bob reject in case of an active attack. Eve can 
always leave Alice and Bob in opposite states by blocking certain messages, as 
Theorem 2 shows. 
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However, we propose how nearly as powerful protocols, called strong proto- 
cols, can be defined which are not impossible to achieve. For a strong protocol 
it is required that, with high probability, either both Alice and Bob reject, or 
the secret-key agreement is successful. It is not required that both Alice and 
Bob accept in the latter case, but that they both compute a mutual secure key. 
It seems that this is the strongest possible security one can achieve against ac- 
tive attackers, and that such protocols are what one actually has in mind when 
speaking about security against active adversaries in secret-key agreement. They 
have the property that no party can be misled by Eve: whenever a party accepts, 
the key agreement has been successful. The new protocol definition and some 
impossibility results are given in Section 2. In the subsequent sections we will 
present strong protocols in the different scenarios mentioned. 

For the case of privacy amplification, treated in Section 3, strong protocols 
are more difficult to obtain than the weaker protocols of [6] , and it is shown that 
strong protocols necessarily are more complicated. A new way of authenticating 
messages must be used which is interactive rather than one-way. The crucial 
point is that the authenticator of a message can be much shorter, leaking less 
information about the partly secret string, but maintaining security even against 
adversaries having partial knowledge about the key. 

The scenario where the parties’ (and the adversary’s) information consists 
of repeated realizations of the same random experiment is treated in Section 4. 
It is shown that the criteria given in [4] for the existence (in this scenario) or 
inexistence (in the general scenario) of protocols secure against active opponents 
are not correct for the protocol definition of [4] , but that these (or closely related) 
criteria characterize the existence of strong protocols in this scenario. Correcting 
these earlier results, we show that a (weak) protocol exists if and only if Eve can 
either not simulate the random variable X, using Z, in such a way that someone 
knowing Y cannot distinguish between X and Eve’s simulation, or vice versa. 
In [4] it was stated that a protocol exists if both X and Y are not simulatable by 
Eve this way. By modifying the protocols of [4] , we show that the last condition 
perfectly characterizes the existence of strong protocols. 



2 Secret-Key Agreement by Communication over an 
Insecure and Non- Authentic Channel 

2.1 Definition of Weak and Strong Protocols 

Definition!. Assume that two parties Alice and Bob both know discrete ran- 
dom variables X and Y, respectively, and that an adversary Eve knows a random 
variable Z, where the joint distribution of the random variables is Pxyz- In a 
protocol for secret-key agreement, Alice and Bob exchange messages C\,C 2 , ■ ■ ■ 
over an insecure channel, where the messages C\,Cz, - ■ ■ are sent by Alice, and the 
messages C' 2 ,C' 4 , . . . are sent by Bob. Each message C depends on the sender’s 
knowledge when sending the message and possibly on some random bits Ri, i.e., 
H{Ci \X,Ci---Ci-i,Ri) = is odd and H{Ci\Y,Ci--- C_i , i?i) = 0 if i is 
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even^. At the end of the protocol, both Alice and Bob either accept or reject the 
outcome, and decide whether to compute a string S'^ or S'g, respectively. If a 
party accepts, then it always computes a string. However, a party can also decide 
to compute a string when rejecting the outcome of the protocol. The above deci- 
sions and the strings 5^ and S'^ are determined hy X or Y, respectively, and by 
the messages sent and received. The protocol is called a one-way-transmission 
protocol if messages are sent only into one direction. Otherwise, a protocol is 
called interactive. 

Let r be an integer, and let e, <5 > 0. A (Pxyz ,i’,e,S)-protocol for secret-key 
agreement by communication over an insecure and non- authenticated channel 
(or simply {Pxyz ,r,s,S)-pTotoco\) is a protocol for secret-key agreement with 
the following properties. 

1. Correctness and privacy. If Eve is a passive wire-tapper, then both Alice and 
Bob accept at the end of the protocol, and secret-key agreement must have been 
successful. The latter is the event that S'^ and S'g are r-bit strings satisfying 

Prob[5;i 5^] < e and H{S'x\CZ) >r-e , (1) 

where PI stands for the (Shannon) entropy function, and where C := (Ci , C 2 , . . .) 
summarizes the entire communication held over the public channel. 

2. (Weak) robustness. For every possible strategy of Eve, the probability that 
either Alice or Bob rejects the outcome of the protocol or secret-key agreement 
has been successful, must be at least 1 — <5. 

The protocol is called strong if condition 2 can be replaced by condition 2’ 
below. In contrast to this, a protocol satisfying 2 will also be called weak in the 
following. 

2’. Strong robustness. For every possible strategy of Eve, the probability that 
either both Alice and Bob reject the outcome of the protocol or secret-key agree- 
ment has been successful, must be at least 1 — <5. o 



2.2 Impossibility Results 

Of course it is most desirable to use protocols for which Alice and Bob either 
both accept (and secret-key agreement is successful) or both reject with high 
probability. However, the following theorem states that such a synchronization 
cannot be achieved, and makes precise what was already stated in [4]. 

Theorem 2. Assume that there exists a strong {PxYzXjejS) -protocol with the 
modified robustness property that with probability at least 1 — <5, either both Alice 

^ Here, the Ci stand for the messages actually sent and received by the corresponding 
party (thus possibly modified by the active opponent). 
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and Bob reject, or both parties accept and secret-key agreement has been success- 
ful. Then either suitable strings can be computed even without communication, 
i.e., there exist two functions f and g, mapping X and y to {0, 1}’’, respectively, 
such that S'^ := f{X) and Sg := g{Y) satisfy (1), or 5 = 1. 

The proof idea is that Eve can always leave Alice and Bob in opposite acceptance 
states by blocking the channel completely after a certain number of rounds of 
the protocol. A full proof will be given in the final paper. 

Clearly, secret-key agreement secure against active adversaries can only be 
possible if Alice and Bob have some advantage over Eve in terms of the dis- 
tribution PxYZ- More precisely, this advantage must be such that Eve cannot 
generate from Z a random variable X which Bob, knowing Y, is unable to dis- 
tinguish from X (and vice versa) . In [4] , the following property of a distribution 
PxYZ was defined. 

Definitions. [4] Let X, Y, and Z be random variables. We say that X is 
simulatable by Z with respect to Y if there exists a conditional distribution P-x^z 
such that PxY = Pxy- ° 

In the final paper, we will describe a simple criterion for simulatability in terms 
of the probabilities PxYz{x,y,z). The following theorem states that a strong 
{PxYZ,r, (5)-protocol can only exist if both X and Y are not simulatable by Z 
with respect to each other. In the scenario in which the parties obtain repeated 
realizations of the same random experiment, this condition is also sufficient (see 
Section 4) . In contrast to the result of [4] , a weak protocol can already exist if 
Eve can either not simulate X or not simulate Y . The proof of Theorem 4 is 
given in the full paper. 

Theorem 4. Let X, Y , and Z be random variables with distribution Pxyz- If 
both X and Y are simulatable by Z with respect to each other, and ifr-(l—e) — 
e — h(e) > 0, then there exists no weak (Pxyz , i’,e,S)-protocol for any S < 1. If 
either X is simulatable by Z with respect to Y ( and r • (1 — 2e) — e — h(2e) > 0), 
or Y is simulatable by Z with respect to X (and r • (1 — e) — e — h(e) > 0), then 
there exists no strong (Pxyz , i’,e,S)-protocol for any <5 < 1. 

3 Privacy Amplification 

3.1 Protocol Definition 

Privacy amplification, introduced in [2] and generalized in [1], is the technique of 
transforming a partially secret string into a highly secret but shorter string, and 
corresponds to the special case of secret-key agreement for which X = Y =: S 
holds with probability 1. The following definition is a strengthened version of 
the general definition in Section 2. Eirst, it is required that Alice and Bob end 
up with the same string with probability 1 if Eve is passive. Moreover, the 
protocol works for an entire class of distributions Pxyz instead of only one 
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distribution. More precisely, Eve’s knowledge about the mutual n-bit string S 
is limited by assuming that Ps\z^z iSj for all z £ Z, contained in some subset 

V of all possible distributions over the set {0,1}". Typically, V will consist 
of all distributions satisfying a certain condition in terms of the Renyi- or min- 
entropy. The protocol definition in [6] only covered the special case V = T>oo,t ■= 
{Px I Hoc{X) > t} for some t. In this paper we will deal with D’s of the form 

V = T> 2 ,t ■= {Px I H^iX) > t{. However, it is conceivable that protocols exist 
for which T> can (or must) be defined in an entirely different way. 

Definitions. Assume that Alice and Bob both know a mutual n-bit random 
variable S, and that the random variable Z summarizes Eve’s entire knowledge 
about S. Let D be a subset of all probability distributions on the set of n-bit 
strings, let r be an integer, and let e,<5 > 0. A (weak or strong) (n,T>,r,e,S)- 
protocol for privacy amplification by communication over an insecure and non- 
authentic channel ((n, T*, r, e, <5)-protocol for short) is a protocol for secret-key 
agreement with the following properties. Assume that Ps\z^z G P for all z £ Z. 

1. Correctness and privacy. If Eve is a passive wire-tapper receiving Z = z, 
then both Alice and Bob must accept at the end of the protocol, and there must 
exist an r-bit string S' such that S' = S'^ = S'g and H{S'\C,Z = z) >r — s. 

Einally, the same (weak or strong) robustness property as in Definition 1 must 
hold. o 

3.2 Entropy Measures, the Effect of Side Information, and 
Knowledge About Partial Strings 

Let us first recall the definitions of some information-theoretic quantities used 
in this paper. 

Definition 6. Let A be a discrete random variable with probability function Px 
and range X. The (Shannon) entropy H{X) of X is^ H{X) := — E[logPx] = 
Px{x)^ogPx{x). The Renyi entropy Pl^iX) is defined as Pl^iX) : = 
-log(E[Px]) = - Px{xf) =■■ -log(Pc(^)), where Pc{X) is called 

the collision probability of X. The min-entropy Hoo(X) is defined as Hoo(X) := 
— log(maXa; ex(Px(x))). o 

Because of Jensen’s inequality, H{X) > Pl^iX) holds for all A, with equality if 
and only if A is uniformly distributed in A or in a subset of X. Eurthermore, 
H 2 {X) > Lfoo(A) > H2{X)/2 holds for all A. 

In the remainder of this section we provide some facts necessary for the 
analysis of the protocols described below. We derive bounds on the amount of 
knowledge (e.g., of an adversary) in terms of Renyi entropy about a partial 
string, depending on the amount of knowledge about the entire string. This 
is done both for the cases where the adversary does (Corollary 9) or does not 

All the logarithms in this paper are to the base 2, except In, which is to the base e. 
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(Lemma 7) obtain information about the remaining part of the string. In both 
cases, the result is roughly the intuitive fact that [with high probability] one 
cannot know [substantially] more about a part than about the whole. In the 
case where the adversary obtains information about the remaining part of the 
string, the result follows from a general upper bound on the reduction of the 
Renyi entropy of a random variable when side information is given (Lemma 8) . 
A statement analogous to Lemma 7 also holds with respect to min-entropy [6]. 



Lemma 7. Let S = (Si , 52, . . . , 5„) be a random variable eonsisting of n binary 
random variables. For any k-tuple i = (ii,i 2 ■ ■ ■ ,ik), where 1 < ii < i 2 < • • • < 
ik < n, let Si be the string (5ij,5i2, . . . ,5^^,). Then H 2 (Si) > 772(5) — (n — k). 

Proof. Consider a fixed string Si_ = (si^ ,... ,Si^^). This particular value of the 
random variable 5^ corresponds to exactly 2"“^ values s = (si, . . . ,s„) of the 
random variable 5. Let p\, . . . ,P 2 ^-h be the probabilities of these strings (in 

decreasing order), and let po := Pi- Now, we have 



2"- 



Y.p"i = 



Po ■ 



^n-k 

E 



Pi , . 

— ■ Pi >P0 

Po 



Po 

In—k 



pI 

yn— k 



Because this holds for every particular string Si, we have for the collision prob- 
abilities of the random variables 5 and Si 



Pc(Si) = E Ps,(si)^ < 2"-'^ • ^ Psisy = 2"-'^ • Pc(S) . 

Hence 772 (5^) > 772(5) — (n — k), and this concludes the proof. 



□ 



Lemma 8 gives an upper bound on the reduction of the Renyi entropy 772 (P) 
of a random variable P when side-information [Q,R] (consisting of a pair of 
random variables) is given, where 7(P;7?) = 0. It states that this reduction 
exceeds logjQj substantially only with small probability in both cases. (Note 
that it is not trivial that no additional reduction is induced by 7? if 7(P; 7?) =0. 
For instance, 7(P; Q) = 0 and 7(P; 7?) = 0 together do not imply that H 2 (P\Q = 
q,R = r) = 772 ( 7 *), as the example P = Q ® R shows.) Lemma 8 can be shown 
similarly to Theorem 4.17 in [3]. 

LemmaS. Let P, Q, and R be diserete random variables with I(P;R) = 0. 
Then ProhQR[H 2 (P\Q = q,R = r)> 772 (P) - log | Q| - s] > 1 - 2 -W 2 - 1 ) for 
all s > 2. 

Corollary 9 is a consequence of Lemma 8. It states that a formally slightly 
weaker result than that of Lemma 7, concerning the knowledge (in terms of PI 2 ) 
of a partial string, even holds when the rest of the string is made public. 

Corollary 9. Let S be an n-bit string, and let a partition of S be given into two 
strings S' and 5" of lengths I and n — I, respeetively. Let s > 2 be a seeurity 
parameter. Then the probability, taken over s" , that 772(5']5" = s") > 772(5) — 
(n — 1) — s holds is at least 1 — 
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3.3 Interaction Versns One-Way Transmission 

The case of one-way-transmission protocols for privacy amplification by public 
discussion over a completely insecure channel was already treated in [6]. In Ap- 
pendix A of this paper, it is shown that such a protocol can never be strong, 
and a better analysis of the protocol in [6], called Protocol A, is given. 

In Section 3.4 we present a strong, hence necessarily interactive, protocol 
for privacy amplification secure against active opponents. This protocol uses 
interaction for two reasons. First, feedback is necessary to prevent the sender 
of the first message from accepting when Eve blocks or modifies the message 
(Theorem 15). Second, it is advantageous to use interactive instead of usual one- 
way authentication when the adversary has some partial information about the 
key. Here, a message it not authenticated by the sender, but reconfirmed by 
the receiver by correctly answering a challenge (which is equal to the message 
itself). The intuitive reason is that the adversary is in a better position if she can 
freely choose a modified message to authenticate, instead of having to respond 
to a given challenge, which is necessary for attacking the interactive way of 
authentication described below. 

Lemma 10 provides a method for interactive authentication with a partially 
secret key K, with the property that the adversary Eve can only answer chal- 
lenges d correctly by fd{K) with substantial probability when she knows at least 
half of the string K (in terms of H^). Moreover, the same is even true if Eve, 
given d, learns some fd’{K) of her choice (where d! d). Note that this is 
what she can actually achieve in a substitution attack. Surprisingly, this holds 
although the length of d and fd{K) is only a small fraction of the length of K. 

Lemma 10. Let N and I be integers such that 21 divides N and 2^ > N/£ holds, 
and let K be a random variable with range 1C C GF{2^). Let further for any d € 
GF{2^) the function fd '■ {0, 1}'^ {0, 1}^ be defined as fd{x) '■= Xlto ^ dCxi, 

where {xt;,, . . . ,X]s/i-i) G {GF{2^))^/^ is a representation of x £ GF{2^) with 
respect to a fixed basis of GF{2^) over GF{2^), the computations are carried 
out in the field GF{2^), and the elements of GF{2^) are represented as l-bit 
strings with respect to a fixed basis of GF{2^) over GF{2). Assume that there 
exists a (possibly probabilistic) function d i-4- d' , GF{2^) GF{2^), such that 

d' ^ d holds for all d, and such that given fd'(K), the value fd(K) can be 
guessed correctly (with some strategy) with probability at least a, taken over the 
distribution of K, the random choice of d (according to the uniform distribution), 
and the coin tosses of the guessing strategy. Then H 2 (K) < N/2 + (2N/£) ■ 
log(l/ci!) or equivalently, a < 

Proof. Note first that we can assume without loss of generality that the func- 
tion d'{d) and the strategy of guessing fd{k) from fd'{k) are deterministic, since 
for every possible strategy there exists a deterministic strategy that is at least 
as good (a randomized strategy can be seen as a combination of deterministic 
strategies, of which the optimal one can be chosen). Eurthermore, there must 
exist distinct elements di,...,djv/f of GF{2^) such that fdi(k) is guessed cor- 
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rectly from fd'{k), where d' := d'{di), for alH = 1, . . . ,N/l with probability at 
least over k. Let £ (C 1C) be this event. We prove that^ \£\ < a/|/C|. 

By cancelling N I2H of the pairs (di,d)) and renumbering the remaining pairs, 
we can obtain N /2i pairs (di,d)) with the property that di ^ {d[, . . . , d'_i) holds 
for alH = 1, . . . , N/2i. (In the worst case, all the pairs (di,d)) occur twice in 
inverse orderings. Then, every second pair (di,d)) must be cancelled.) 

The event £ has the property that fd'^ (k) = fd'^ (k*) implies fd^ (k) = fd^ (k*) 
for all k, k* G £. Otherwise fd^ (k) could not be guessed correctly from fd'^ (k) for 
all k C £. Hence £ must be contained in a set £\ of the form £i = U{k : 
fdi(k) = h{a) cmA fd’^{k) = a} for some function b{a), where the union is 
taken over all a G GF{2^). Analogously, £ must also be contained in sets £i, 
i = 2, . . . ,N/2£, of the same form (with di and d[ replaced by di and d', re- 
spectively), hence £ C We show that the cardinality of the set on the 

right hand side is i/|/C|. First, observe that every set of at most N/£{< 2^) 
functions fdi is, for pairwise distinct di G GF{2^), linearly independent over 
GF{2^) (the so-called Vandermonde determinant is nonzero in this case). We 
define r; := | £i\. From the linear independence of {fdi,fd[}, we first con- 

clude that ri = 2^~^. Furthermore, the linear independence of from the set 
{/di , . . . , /d, , /d'j , • • • , /d;_^ j } (because d;+i ^ {di, . . . ,di,d[, . . . ,d[} according to 
the choice of the pairs (di,d))) implies that n+i = ri /2^ for / = 1, . . . , N /2i — 1. 
Note that this also holds if = di or = d' for some i < / -I- 1. We conclude 
that \£\ < tn /21 = = 2^/^ = 

On the other hand, Prob[5] = Ylkes ^K{k) > In the case where Pr re- 
stricted to £ is the uniform distribution (this case maximizes the Renyi entropy) 
with probability at least /\£\, we have > T,ke£^K{k)‘^ > 

\£\ ■ l\£\^) > j2^l‘^ , and the claim follows when the negative loga- 
rithm is computed on both sides. □ 

3.4 A Strong Protocol for Privacy Amplification 

The new technique for authentication allows the construction of a strong pro- 
tocol for privacy amplification. However, the fact that the challenge string d, 
which must uniquely determine the message, i.e., the specification of the hash 
function for privacy amplification, is short implies that one cannot use univer- 
sal hash functions, whose descriptions would be too long (see for example [8] 
for lower bounds on the cardinality of universal classes). We use so-called ex- 
tractors instead, which are small classes of functions allowing to extract the 
min-entropy idoo of a weak random source into a close-to-uniformly distributed 
string or equivalently, to transform a partially secret into a highly secret string 
(see Appendix B). 

We are now ready to present and analyze the strong protocol for privacy 
amplification secure against active adversaries. Let n be a multiple of 3, let 
0 < TO < 1 be such that 2mn is a divisor of 2n/3, and let d := (2n/3)/{mn). 



® Throughout the paper, the cardinality of a set M is denoted by |M|. 
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For an n-bit string S, let Sj, Su, and Sm be (n/3)-bit strings such that 
S = where || stands for the concatenation of strings. Let further 

fh{Si\\Sii) be defined as in Lemma 10 for 5/||5// = (5o, . . . , Sd-i) G GF(2^^Y 
(here, the Si are interpreted as elements of GF(2'"") with respect to a fixed rep- 
resentation of GF(2'"") over GF{2)) and h G GF(2'""). Then Protocol B works 
as follows. The extractor function E will be specified below. By a Gij A, we 
express that a is randomly chosen in the set A according to the uniform distri- 
bution. 

Protocol B 

Alice 

h Gij GF(2'"") ^ 

S' ■.= E{Siii,h) 

^ (a^b) 

iiaY fh{Si\\Sii) : stop 
iia = MSi\\Sii) : 
c ■■= fb{Si\\Sii) — 

accept 



Bob 

a:=MSj\\Sjj) 
b Gij GF(2'"") 

S' ■.= E{Siii,h) 

if c = MSiWSii) 
accept 

if c Y MSiWSii) 
reject 



Theorem 11. Let t > 2/3 be a eonstant. Then there exist eonstants m and 
no, and for every n > no a funetion E, eomputable in polynomial time, sueh 
that Protoeol B is a strong {n , T> 2 ,tn , 12(n) , 2 ~^A) ^ 2“^("^)-protoco/ for pri- 
vaey amplifieation by eommunieation over an inseeure and non-authentie ehan- 
nel. 

Note that the assumption on Eve’s knowledge about S is exactly the same for 
Protocol B as for Protocol A. However, the price that has to be paid for strong 
robustness is that the length of the extracted string is only a constant fraction 
of the length of the key generated by the weak Protocol A, and that a higher 
round complexity is required in communication. 

Proof of Theorem 11. Let 0 < m < t — 2/3 be constant, and let z G Z be 
the particular value known to the adversary Eve. Assume first that Eve is only 
passive. We give a lower bound on the min-entropy of the string Sm from Eve’s 
point of view and given the entire communication G held over the public chan- 
nel. Since this communication is, given Sj, Su, and Z = z, independent of Sm, 
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we have H 2 {Siu\C = c,Sj = sj,Sjj = sjj,Z = z) = H 2 {Sjjj\Sj = sj,Sjj = 
sii, Z = z) > {t — 2/3)n/2 with probability at least 1 — accord- 

ing to Lemma 7. (Of course Alice and Bob could publish 5/ and Su at the end 
of the protocol, only helping a possible adversary.) Because Hac{X) > H2{X)/2 
for all X, we conclude that 

Hoo{Siii \ C = c, Si = si, Sii = s//, Z = z) >(t — 2/3)n/4 (2) 

holds with probability at least 1 — 

From Corollary 19 in Appendix B, we conclude that there exist no and for all"^ 
n > no numbers w < mn, r = f2{n), and a function E : {0, 1}"/^ x {0, 1}™ 

{0, 1}’’ (computable in polynomial time) with the following property. Under the 
condition that T is an (n/3)-bit random variable with Hac{T) > {t — 2/3)n/4 
and that U is a uniformly distributed w-bit random variable, we have for R := 
E{T, V) that H{R\V) > r • (1 - 2-"/(®('°s("/3))')) • (1 - - 2~^). 

For the choice Pt = Psjjj\c^c,z^z and Pr = Ps- = Pe(Sih,v) (where V is 
composed by the first w bits of Ff in a fixed representation) we obtain, using 
(2) and I(H-,SZ) = 0, H{S'\C,Z = z) > r - r ■ (2-^/C^(^°s(n/3)f)+i + + 

2-((t-2/3)n/4-l)^ — j. _ 2~^{n) ^ 

We consider the case where Eve is an active adversary and give an upper 
bound on the probability of the event that Alice and Bob do not both reject 
although secret-key agreement has not been successful. It is obvious that this 
can only occur if Eve can either guess fh{S) from some fh'{S) (where h' h) or 
guess fb{S) correctly, where h and b are randomly chosen. The success probability 
S of such an active attack is upper bounded by 

j ^ 2 ^ — {m/2)(t—2/3)n _j_ 2“((^“2/3 — m)n/4 — 1) _j_ 2 ^ — (mj2)(t—2j3 — m)nj2 — 

To see this, we first conclude from Lemma 7 that H 2 {{Si\\Sn)\Z = z) > {t — 
l/3)n. According to Lemma 10 (for K = 5/||5//, N = 2n/3, and I = mn) and 
Lemma 8, the summands in (3) are upper bounds on the probabilities of guessing 
fh{S) from some fh'{S), of the event £ that H 2 {{Si\\Sii)\H = h, A = a, Z = 
z) < n/3 + {t — 2/3 — m)n/2 < H 2 {{Si\\Sii)\Z = z) — mn — {t — 2/3 — m)n/2, 
and of finding fb{S) when given £, respectively. We conclude that Protocol B is 
a strong protocol with all the required properties. □ 



4 Independent Repetitions of a Random Experiment 

Another important special case of secret-key agreement protocols is the scenario 
where the information the parties obtain consists of many independent real- 
izations of the same random experiment (with distribution Pxyz) [5]. Eor the 

We can assume, not changing the basic result, that n is a multiple of 3, and that 
2mn is an integer dividing 2nj2>. Otherwise, ran can be replaced by k := [mn] in the 
entire proof, and n can be substituted by the unique multiple of 3k in the interval 
[n, n + 3k — 1]. Alice and Bob then add the required number of zeroes to the end of 
S, not changing the distribution of S. 
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passive-adversary case, the secret-key rate S(Pxyz) has been defined in [5] as 
the maximal rate at which a secret key can be generated. The following defi- 
nition generalizes this notion to the active-adversary case with respect to weak 
and strong protocols. 

Definition 12. The (weak) secret-key rate against active adversaries, denoted 
S^{PxYz), is the least upper bound of the set of numbers R > 0 with the 
property that for all e, <5 > 0, and for sufficiently large n, there exists a weak 
(PxYZ^ [i?nj , e, (5)-protocol for secret-key agreement by communication over an 
insecure and non-authentic channel. Here, Pxyz stands for the distribution over 
^71 X X that corresponds to n independent realizations of the random 
experiment with distribution Pxyz - The (strong) rate S*{Pxyz) is defined anal- 
ogously, but it is required that the protocol is strong. o 

Of course, we have S*{Pxyz) < S^{Pxyz) < S{Pxyz) for all distributions 
Pxyz- The following theorem expresses S^{Pxyz) and S*{Pxyz) in terms of 
S{PxYz) and Pxyz, and corrects the results of [4]. Both and S* are equal 
to either 5 or 0, depending on whether X or Y (or both) are simulatable by 
Eve. The proof of Theorem 13 follows the lines of [4], and will be given in a final 
paper. 

Theorem 13. Let Pxyz be a distribution of the random variables X , Y , and Z 
such that S(PxYz) > 0. Then Sf^(PxYz) = 0 if and only if both X and Y are 
simulatable by Z with respect to each other. Otherwise, Sf„(PxYz) = S(Pxyz)- 
Furthermore, S* {Pxyz) = 0 holds if and only if either X or Y is simulatable 
by Z (with respect to Y or X , respectively). Otherwise S*{Pxyz) = S{Pxyz)- 

5 Concluding Remarks 

Improving earlier results, and relativizing the previous pessimism, we have shown 
that unconditionally secure key agreement against active opponents is possible 
in such a way that both parties are simultaneously protected against an adver- 
sary’s active attacks. Clearly, this property is what someone would naturally 
request from such a protocol. In the special case of privacy amplification, inter- 
active (instead of one-way) authentication allows to reduce the adversary’s gain 
of information about the partially secret key by using shorter authenticators, 
without increasing the success probability of a message-substitution attack even 
by an adversary with partial knowledge about the key. Finally, we have shown 
that, in the situation of general random variables as well as in the scenario where 
the parties have access to repeated realizations of the same random experiment, 
previously formulated non-simulatability criteria characterize the existence of 
strong rather than weak protocols. 
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Appendix A. One-Way Privacy Amplification 

In [1], the following important theorem on privacy amplification secure against 
passive adversaries has been proved, which implies that there exist protocols for 
privacy amplification by authenticated communication which allow to extract a 
string S' whose length is roughly equal to the Renyi entropy of S, given Eve’s 
knowledge. 

Theorem 14. [1] Let S be a random variable with probability distribution Ps 
and Renyi entropy H 2 (S), and let G be the random variable eorresponding to 
the random ehoiee (with uniform distribution) of a member of a universal elass 
of hash funetions mapping S to r-bit strings, and let S' = G(S). Then r > 
H{S'\G) >H2{S'\G) >r-2’-'ff=(^)/ln2. 

We will apply Theorem 14 to the case where all the probabilities are con- 
ditioned on Z = z. The function G is chosen from a universal class of hash 
functions. Generally, a class TL of functions mapping .4 to B is called universal if 
for all x,y £ A, X ^ y, Prob[/i(a;) = h{y)] = 1/|B| if h is chosen randomly from 
TL according to the uniform distribution. An example of such a class of func- 
tions mapping /-bit strings to r-bit strings (where / > r) is the set of functions 
hc{x) = LSBr(c-a;) for all c G GF{2’-). This class contains 2* different functions. 

Let us now consider non-interactive privacy amplification secure against ac- 
tive opponents. Note first that a one- way-transmission protocol cannot be strong. 

TheoremlS. Assume that a strong {n,T> 2 ,t,r,e,S)-one-way-transmissionpro- 
toeol exists. Then e > min{r, n — t} or S = 1. 
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The proof of this theorem will be given in the final paper. The following (weak) 
protocol was described already in [6]. Here, S is an n-bit string, and Sj, Su, 
and Sill are the first, second, and third parts of S of length n/3. 

Protocol A 

Alice Bob 

h €r GF(2"/3) 

a-.= h-Si+ Su 

accept accept if a = h-Si+Su 

S' -.= LSB,(/i • Sill) S' -.= LSB,(/i • Sin) 



The notation h Gr means that h is chosen randomly from GF(2"/^) 

according to the uniform distribution. All the computations are carried out in 
the field GF(2"/3). 

Theorem 16. Let n, s, and t he positive integers sueh that n > tn > 2n/3 + s. 
Then Protoeol A is a weak (n , T> 2 ,t , (t — '2/3)n — s , e , S)-protoeol for privaey 
amplifieation by eommunieation over an inseeure and non-authentie ehannel for 
e = r- 2-(*/3-i) + 2-*/3/ln2 and S = 3 ■ 2-(‘-V3)V4, 

Proof. Let z G Z he the particular value known to Eve. We first assume that 
Eve is a passive wire-tapper. Let (h,a) = {h,h- Si + Sn) be the message sent 
from Alice to Bob, and let £ be the event that P[ 2 {Siii\Si = si, Sn = sn,Z = 
z) > {t — 2/3)n — 2s/3 Then £ has, according to Corollary 9, probability at 
least 1 — Let r := {t — 2/3)n — s, and let S' := LSBr(/i • Sm). The- 

orem 14 now implies that H{S'\HA,£,Z = z) > H{S'\HASiSn,£, Z = z) = 
H{S'\HSiSii,£,Z = z) > r-2-*/3/ln2. We have used I{Snr, HA\SiSn, Z = 
z) = 0. We conclude H{S'\HA,Z = z) > Prob[5] • (r — 2“®/^/ln2) > r — r ■ 
2-C/3-1) _ 2-^3/ In 2 =: r -e. 

Let us now consider the case where Eve is an active attacker. We give an 
upper bound on the probability that Eve can substitute a message {h, a) by a 
different message {h',a'), h' h, without being detected. The crucial argument 
is that 5/| |5// is uniquely determined by (/i, h- Si + Sn) and {h' ,h' ■ Si + Sn) 
if /i ^ h' . Hence the probability of a successful active attack (which can only 
be a substitution attack according to the definition of Protocol A, where Alice 
only accepts after having sent a message) is not greater than the probability of 
guessing S correctly when given (h,a). Prom Lemmas 7 and 8 we conclude that 
H 2 {{Si\\Sn)\P[ = h, A = a, Z = z) > {t — 2/3)n/2 is true with probability at 
least 1 — If the inequality holds, then the maximal probability 

of a single string s/||s// is at most 2“'^2((S/||S//)|J?=ft,.4=a,z=z)/2 ^ 2-(*-2/3)»i/4 
Hence, by the union bound, the success probability of an active attack is upper 
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bounded by 2 -((‘- 2 / 3 )"/ 4 -i) + 2 -(t- 2 / 3 )r «/4 ^ 3 . 2 -(t- 2 / 3 )rx /4 g □ 



Appendix B. Extractors 

In this appendix we describe the notion of an extractor and some facts needed 
for Protocol B. For an introduction into the subject and the precise construc- 
tions, see [7] and the references therein. Roughly spoken, an extractor allows to 
efficiently distill the entire (or a substantial part of) the randomness (in terms 
of the min-entropy) of some source into (almost) truly random bits, using a 
small additional number of random bits. Theorem 18 was proven in [7], intro- 
ducing one particular class of extractors. Corollary 19, which is a consequence 
of Theorem 18, is the statement we need in the analysis of Protocol B. 

Definition 17. [7] A function E : {0, l}-^ x {0, 1}™ {0, 1}’’ is called a (S', e')- 

extractor if for any distribution P on {0, 1}^ with min-entropy Hac,(P) > S'N, 
the distance of the distribution of [V, E(X, V)] to the uniform distribution over 
{0, 1|“’+’’ is at most e' when choosing X according to P and V according to the 
uniform distribution over {0, 1}™. The distance between two distributions P and 
P' on a set X is defined as d(P,P') := (Ylxex ° 

Theorem 18. [7j For any parameters S' = S'(N) and s' = s'(N) with 1/N < 
S' < 1/2 and 2~^ ^ < s' < ^/N, there exists a (S' , s')- extraetor E : {0, l}-^ x 
{0, 1}™ {0,1}’’, where w = 0(log(l/e') • (logA")^ • (log(l/<5'))/<5') and r = 

f2 (S' N / \og(l / S')) , and where E is eomputable in polynomial time. 

Corollary 19. Let S', m G (0,1) be eonstants. Then there exists Nq and for all 
N > No a funetion E, eomputable in polynomial time, E : {0, 1}'^ x {0,1}-^ 
{0,1}’’, where w < mN and r = 0(N), sueh that if T is an N-bit random 
variable with H^(T) > S'N, then H(E(T,V)\V) > r • (1 - 2-^/(2(i°s^)')) • (1 - 
2 -N/( 2 (\ogNf ) _ 2 ~r^ distributed V. 

Proof. Let s'(N) := . Then there exists Nq such that for all N > Nq 

we have s' > and a (<5', e')-extractor E, mapping {0,1}'^+’" to {0,1}’’, 

where w < mN (note that w = 0(N/ log N) for this choice of s' and for con- 
stant S') and r = fi(N). By definition, this means that for a uniformly dis- 
tributed random variable V and if Hac(T) > S'N, the distance of the distribu- 
tion of [V,E(T,V)] to the uniform distribution Uxu-\-r over {0, 1}“’+’’ is at most 
s' = 2-^/(l°g^)^ Because d([V, E(T,V)],Uxu+r) = Ev[d(E(T,V),Ur)] < s' for 
uniformly distributed V, the distance of the distribution of E(T,v) to the uni- 
form distribution Ur (over {0, 1}’’) is at most with probability at least l — \/p 
over V, i.e., Pv[d(E(T,V),Ur) < 2-^/(2(i°s^)')] > l-2-^/(2(i°s^)'). The corol- 
lary now follows from H(Z) > k(l — d(Uk,Pz) — 2“^), which is true for every 
random variable Z with Z C {0, 1}^ [6]. □ 
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Abstract. We first present two tight lower bounds on the size of the 
secret keys of each user in an unconditionally secure one-time use broad- 
cast encryption scheme (OTBES). Then we show how to construct a com- 
putationally secure multiple-use broadcast encryption scheme (MBES) 
from a key predistribution scheme (KPS) by using the ElGamal cryp- 
tosystem. We prove that our MBES is secure against chosen (message, 
privileged subset of users) attacks if the ElGamal cryptosystem is secure 
and if the original KPS is simulatable. This is the first MBES whose 
security is proved formally. 



1 Introduction 

Secure broadcast encryption is one of the central problems in communication 
and network security. In this paper we link One-Time use Broadcast Encryption 
Schemes (OTBESs) pl7l6| with Key Predistribution Schemes (KPS) HO]. Both 
schemes are closely related but they have a different structure. In a KPS, a 
Trusted Authority (TA) distributes secret information to a set of users such 
that, each member of a privileged subset P of users can compute a specified key 
kp, but no coalition F (forbidden subset) is able to recover any information on 
the key kp that it is not supposed to know. In a OTBES, the TA distributes 
secret information to a set of users and then broadcasts a ciphertext bp over a 
network. The secret information is such that each member of a particular subset 
P of users can decrypt bp, but no coalition F (forbidden subset) is able to recover 
any information on the plaintext mp oi bp that it is not supposed to know. 

A natural way to construct an OTBES from a KPS is to use a key kp of the 
KPS to encrypt the message mp, that is 

bp = kp + mp. (1) 

* A part of this research has been supported by NSF Grant NCR-9508528. 

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 420-023 1998- 
© Springer- Verlag Berlin Heidelberg 1998 
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Stinson et al. |4lti| have shown that there is a tradeoff between \Bp\ and \Ui\ in 
OTBESs, where Bp is the set of ciphertexts bp and Ui is the set of secrets of 
user i. That is, \Bp\ can be decreased by increasing \Ui\ and vice versa. 

A (P,.7^)-KPS is a KPS for which V = {P \ P is a, privileged subset} and 
iF = {F I F is a forbidden subset}. In particular, 

- A (t, < w)-KFS is a (F, F)-KPS with F = {F | |F| = t}, F = {F | |F| < w}, 

— A (< n, < r<;)-KPS is a (F, F)-KPS with F = 2^, F = {F | |F| < w}, where 

LI is the set of users and n= \Ll\. 

We define (F, F)-OTBESs, (t,< w)-OTBESs and (< n, < w)-OTBESs in a 
similar way. Below we list some of the known KPSs and OTBESs. 

Key Predistribution Schemes. Blom obtained a (2, < w)-KPS in by 
using MDS codes (also see fDI). Blundo et al. obtained a (t, < w)-KPS in |3j 
by using symmetric polynomials. Fiat and Naor presented a (< n, < rc)-KPS 
in ISj. Blundo et al. found tight lower bounds on \Ui\ for {t,< rt;)-KPSs [3| and 
for (< n, < i(;)-KPSs 121 1] Recently, Ludy and Staddon found some bounds and 
constructions for some classes of {n — w,< rc)-OTBESs |H|. However, there is a 
gap between their bounds and the constructions. 

One-Time Use Broadcast Encryption Schemes. Stinson et al. gave con- 
structions for (t, < w)-OTBESs ^ and (< n, < ic)-OTBESs [B| which can realize 
the tradeoff between \Bp\ and \Ui\. Blundo, Frota Mattos and Stinson found a 
lower bound on \Bp\ and \Ui\ for {t,< w)-OTBESs which reflects the tradeoff 
0. Recently, Desmedt and Viswanathan presented a (< n, < n)-KPS |^. This 
can be considered as a complement of the Fiat and Naor (< n, < n)-KPS. 

In this paper, we first prove that a (F,F)-KPS is equivalent to a (F,F)- 
OTBES when \Bp\ = \M\, where M denotes the set of messages (Theorems ^ 0) • 
Then, by using the bounds in m for KPSs we get directly a lower bound on \Ui\ 
for (< n, < w)-OTBESs and a lower bound for (t, < ?u)-OTBESs. The former 
is the first lower bound for (< n, < w)-OTBESs. The latter is more tight than 
the bound of Blundo, Frota Mattos and Stinson for \Bp\ = \M\. Both bounds 
are tight because the natural schemes which use equation du meet the equalities 
of our bounds. We also present a general lower bound on \Ui\ for KPSs which 
includes all the previous known bounds as special cases (Theorem Q) . 

Next, we show how to construct a computationally secure (F, F)-Multiple use 
Broadcast Encryption Scheme ((F,F)-MBES) from a (F,F)-KPS by using the 
ElGamal cryptosystem. We prove (Theorem 0 that our (F,F)-MBES is secure 
against chosen (message, privileged subset of users) attacks (Definition 0 if the 
ElGamal cryptosystem is secure and if the original (F,F)-KPS is simulatable 
(Definition 0 . 

We then show that the Blundo et al. scheme, the Fiat-Naor scheme and the 
Desmedt-Viswanathan scheme are all simulatable (Theorems EEl- By combining 

^ The model for broadcast encryption in m corresponds to our model for KPSs. So, 
for example, the bounds in |2| hold only for KPSs, and not for OTBESs. 
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this result with our earlier construction we get {V, ^)-MBESs for {V, T) = {t, < 
w) and n, < w) whose security is proven formally. 

The proposed construction is the first MBES whose security is proven for- 
mally (Corollary 1^. Furthermore, our technique can be generalized to many of 
the OTBESs in |^, and our argument holds for Multiple use (P, J^)-KPSs. 

2 Mathematical Models 

Our model for key distribution and broadcast encryption consists of a Trusted 
Authority (TA) and a set of users U = {1,2, 

2.1 Key Predistribution 

In a key pre-distribution scheme, the TA generates and distributes secret infor- 
mation to each user. The information given to user i is denoted by Ui and must 
be distributed “off-band” (i.e., not using the network) in a secure manner. This 
secret information will enable various privileged subsets to compute keys. 

Let 2^ denote the set of all subsets of users. V Q 2^ will denote the collection 
of all privileged subsets to which the TA distributes keys. iF C 2^ will denote 
the collection of all possible coalitions (called forbidden subsets) against which 
each key is to remain secure. 

Once the secret information is distributed, each user i in a privileged set P 
should be able to compute the key fcp associated with P. On the other hand, no 
forbidden set F G P disjoint from P should be able to compute any information 
about kp. 

Let Kp denote the set of possible keys associated with P. We assume that 
Kp — K for each P gV. 

For 1 < i < n, let Ui denote the set of all possible secret values that might be 
distributed to user i by the TA. For any subset of users X CU, let Ux denote the 
cartesian product f/q x • • • x Ui-, where X = (zi, . . . , ij} and ii < ■ ■ ■ < ij. We 
assume that there is a probability distribution on Uu, and that the TA chooses 
uu G Uu according to this probability distribution. 

We say that the scheme is a {V, P)-Key Predistribution Scheme {{V, J^)-KPS) 
if the following conditions are satisfied: 

1. Each user i in any privileged set P can compute kp: 

Vz S P, VP S P, Vui G Ui, 3kp G Kp s.t., 

Pr[Kp = kp\U, = u,] = 1. 

2. No forbidden subset F disjoint from any privileged subset P has any infor- 
mation on kp: 

VP G P, Vfcp G Kp, VP G P s.t. PnP = 0, VzzF G Up s.t. Pr(PF = up) > 0, 
PT[Kp = kp\Up = up]=Pr[Kp = kp]. (2) 



We denote a (P, P)-KPS by (Pi, . . . , U^, K). 
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2.2 One-Time Broadcast Encryption 

We will use the notation from Section 12. 1 1 We assume that the network is a 
broadcast channel, i.e., it is insecure, and that any information transmitted by 
the TA will be received by every user. 

In a set-up stage, the TA generates and distributes secret information Ui to 
each user i off-band. At a later time, the TA will want to broadcast a message 
to a privileged subset P. The particular privileged subset P is, in general, not 
known ahead of time. 

P C 2^ will denote the collection of all privileged subsets to which the TA 
might want to broadcast a message. iF C 2^ will denote the collection of all 
possible coalitions (forbidden subsets) against which a broadcast is to remain 
secure. 

Now, suppose that the TA wants to broadcast a message to a given privileged 
set P G F at a later time. (The particular privileged set P is not known when 
the scheme is set up, except for the restriction that P G V.) Let Mp denote the 
set of possible messages that might be broadcast to P. We assume that Mp = M 
for each P £V. Furthermore, we assume that there is a probability distribution 
on M, and that the TA chooses a message (i.e., a plaintext) mp G M according 
to this probability distribution. Then the broadcast bp (which is an element of a 
specified set Bp) is computed as a function of mp and up. 

Once bp is broadcast, each user i G P should be able to decrypt bp and 
obtain mp. On the other hand, no forbidden set F € J- disjoint from P should 
be able to compute any information about mp. 

The security of the scheme is in terms of a single broadcast, so we call the 
scheme one-time. We say that the scheme is a (P , T)- One-Time Broadcast En- 
cryption Scheme ((P, P)-OTBES) if the following conditions are satisfied: 

1. Without knowing the broadcast bp, no subset of users has any information 

about the message mp, even if given all the secret information Uu'. 

VP G P, Vmp G Mp, Muu G Uu s.t. Pv[Uu = up] > 0, 

Pr[Mp = mp I Uu = up] = Pr[Mp = mp]. (3) 

2. The message for a privileged user is uniquely determined by the broadcast 

message and the user’s secret information: 

Vi G P, VP G P, 'iui G Ui, Vbp G Bp, 3mp G Mp s.t., 

Pr[Mp = mp I Ui = Ui, Bp = bp] = 1. (4) 

3. After receiving the broadcast message, no forbidden subset F disjoint from 

P has any information on mp: 

VP €P,\/F € P s.t. POF = %, Vmp G Mp, Vup G Up, Vbp G Bp, 

Pr[Mp = mp I Up = Up, Bp = bp] = Pr[Mp = mp]. (5) 



We denote a (P, P)-OTBES by (Pi, ... , P„, M, {Bp}). 
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2.3 Conventional Notation 

We first consider key predistribution schemes. If V consists of all t-subsets of U, 
then we will write (t, JF)-KPS. Similarly, if V consists of all subsets of U of size 
at most t, we write (< t, .7^)-KPS. An analogous notation will be used for T. 
Thus, for example, a (< n, 1)-KPS is a KPS for which there is a key associated 
with any subset of users (i.e., V = 2^) and no key kp can be computed by any 
individual user i ^ P. Note that in any {V, .7^)-KPS, ii F G P and F' C F, then 
F' G T. Hence, a {V,w)-KPS is a {V, < ?«)-KPS. 

The same notation is used for one-time use broadcast encryption schemes. 

3 Known Results 

For a random variable X, H{X) denotes the entropy of X. Generally, 

0 < H{X) < log 2 |A|, where X = {x \ Pr(A = x) > 0}. 

In particular, H{X) — log 2 |A| iff X is uniformly distributed. 

3.1 A (t, < u;)-KPS (The Blundo et al. Scheme) 

Blom presented a (2, < w)-KPS in p. This was generalized to a {t, < w)-KPS 
by Blundo et al. as follows p. Let g be a prime such that q > n (the number 
of users). The TA chooses a random symmetric polynomial in t variables over 
GF{q) in which the degree of any variable is at most w, that is, a polynomial 

W W 

f{xi,...,Xt) = ■■■ X! 

ii— 0 it—0 

where, = a,r(ii...it) for any permutation tt on (A, . . . , if). The TA computes 

Ui as Ui = f{i, X 2 ^ . • . , Xt) and gives Ui to user i secretly for 1 < i < n. The key 
associated with the t-subset P = {ii,...,if} is kp = f{ii, . . . ,it)- Each user 
j G P can compute kp from Uj easily. In this scheme, \Kp\ = q = \K\ and 

iog|c/.i = iog|A|. 

This scheme is optimum because Blundo et al. have shown that the following 
lower bound on \Ui\ applies. 

Proposition 1. m In a (t, < w)-KPS, 

logm > 

Beimel and Chor gave a combinatorial proof of Proposition □ 0 Blundo and 
Cresti obtained the following more general lower bound. 
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Proposition 2. ^ In a {V,T)-KPS with {1, 2, • • • , n} \ P G ^ for all P GP, 

log \Ui\> TiH{K), 

where Ti = \{P G V \ i G P}\ 

Note that Proposition Q] is obtained from PropositionOby letting n = t + w. 

3.2 A (< n, < ii;)-KPS (The Fiat-Naor Scheme) 

Fiat and Naor presented the following (< n, < ?«)-KPS |^. Let q be any positive 
integer. For every subset F Q U oi cardinality at most w, the TA chooses a 
random value sp G Zq and gives sp to every member of U \ F as the secret 
information. Then the key associated with a privileged set P is defined to be 

kp = sp (modg), 

F-.F£j^,FnP=Hl 

Here is a small example for illustration. Take n = 3, q = 17 and w = 1, and 
suppose that the TA chooses the values, 

S0 = 11, S{i} = 8, S{2} = 3, S{3} = 8. 

The secret information of the users is, 

Ui = {S 0 , S{2}, S{ 3 }}j W2 = {s0, S{1}, S{3}}, «3 = {S0 , S{1} , S{2} } ■ 

The keys determined by this information are, 

fc{i, 2 } = S 0 + S{ 3 } = 2 mod 17, ... , fc{i, 2 , 3 } = S 0 = H mod 17. 

In this scheme, \Kp\ = q = \K\ and 

log|t/,| = ^(^“ log|A|. 

1=0 ^ ^ I 

This scheme is optimum because Blundo and Cresti have shown the following 
Proposition and Corollary. 

Proposition 3. m In a (< n,F)-KPS, 

log \Ui\> ViH{K) 

where Vi = \{F G F \ i ^ F}\. 



Corollary 1. ^ In a (< n,< w)-KPS, 
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3.3 The (< n, < n)-KPS (The Desmedt-Viswanathan Scheme) 

Desmedt and Viswanathan presented a (< n,< n)-KPS |^. This scheme can 
viewed as a complement of the Fiat-Naor (< n,< n)-KPS. The TA initially 
generates 2" — n — 1 independent keys, i.e., one for each P C {1, 2, . . . , n} such 
that |P| > 2. Each user i receives from the TA the keys of those subsets for which 
i £ P. Hence, each user gets 2"’“^ — 1 keys. This scheme is optimum because of 
the following lower bound which follows from Corollary E 

Corollary 2. In a {< n,< n)-KPS, 

log|P*| > (2”-i - l)P(iF). 

(Desmedt and Viswanathan gave another direct proof [S|.) 

3.4 Lower Bounds for (t, < ic)-OTBESs 

Blundo, Frota Mattos and Stinson obtained the following lower bound for (t, < w)- 
OTBESs 0, 

Proposition 4. In any {t, < w)-OTBES with t > w + 1, 

W 

P(Pp)+^P(C7,,) > {2w+l)H{M), 
i=i 



for any P £V. 

4 New Lower Bounds on \Ui\ 

In this section we first prove that a (P, P)-KPS is equivalent to a (P, P)-OTBES 
when |Pp| = \M\. Then, by using the bounds in m for KPSs, we get directly 
a lower bound on \Ui\ for (< n, < u>)-OTBESs and a lower bound for (f, < w)- 
OTBESs. The former is the first lower bound presented for (< n, < w)-OTBESs. 
The latter is more tight than the bound of Blundo, Mattos and Stinson for 
|Pp| = \M\. Our bounds are both tight. We also present a general lower bound 
on \Ui\ for KPSs which includes all the previous bounds as special cases. 

4.1 Equivalence between KPS and OTBES 

Theorem 1. If there exists a (P, T)-KPS (Pi, . . . , Un, K), then there exists a 
(fP,P)-OTBES {Ui,...,Un,M,{Bp}) with \Bp\ = \M\ = \K\ for allP £P. 

Proof. Use a key kp of the (P,P)-KPS to encrypt a message mp, that is 



bp = kp + mp, 

and broadcast bp. We then get a (P,P)-OTBES. 



□ 
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Theorem 2. If there exists a {V ,T)-OTBES (?7i, . . . , C/„, M, {Bp}) such that 
\Bp\ = \M\ for all P GV, then there exists a {V,T)-KPS , Un,K) such 

that \K\ = \M\ and H{K) = H(M). 

Proof. From a (B,iF)-OTBES construct a KPS as follows. Fix bp G Bp arbitra- 
rily for all P G V. Since |Bp| = \M\, there is a bijection from Bp to M for any 
(ui , . . . ,Un). Then there is an rhp G M such that each member of P decrypts 
the bp as rhp for any (ui, . . . , u„). Now take kp = rhp in our KPS. It is easy to 
see that we get a (B,lF)-KPS with \K\ = \M\ and H{K) = H{M). □ 

4.2 Lower bounds for OTBESs 

From Theorem |21 Proposition ^ and Corollary ^ we obtain immediately the 
following lower bounds on \Ui\ for OTBESs. 

Corollary 3. In a {t, < w)-OTBES, if \Bp\ = \M\ for all P gV, then 
log|C/,|> + 



Corollary 4. In a (< n, < w)-OTBES, if \Bp\ = \M\ for all P G then 

W y _ 1 \ 

iog|t/.i>^r. ]h{m). 
j=0 ^ ^ I 

These bounds are tight because the construction in the proof of Theorerndmeets 
the equalities if we use the KPSs of Section 3.1 and Section 3.2. 

4.3 A General Lower Bound on \Ui\ 

We generalize Proposition 0as follows. 

Theorem 3. In a {V, P)-KPS, 

log|[/i| > (5ilog|K:|, 

where 

5, = \{P\iGPGV , |l,2,...,n}\PGB}|. 

The proof is given in Appendix. 

Note that Proposition 0 is also obtained as a corollary from Theorem 0 In- 
deed, all the previous bounds for KPSs are obtained as corollaries to Theorem 0 

From Theorem and Theorem 0 we get the following corollary. 

Corollary 5. In a (V,P)-OTBES, if \Bp\ = \M\ for all PgV, then 

logical > (5,log|M|, 

where Si = \{P \ i G P G V , (1,2,..., n}\P G T}\. 
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5 Multiple Use Broadcast Encryption 

In this section we first show how to construct a computationally secure (V, J^)- 
Multiple use Broadcast Encryption Scheme ((P,^)-MBES) from a (P,^)-KPS 
by using the ElGamal cryptosystem. We then prove that our (P, .7^)-MBES is 
secure against chosen (message, privileged subset of users) attacks if the ElGamal 
cryptosystem is secure and if the original (P,.7^)-KPS is simulatable. We also 
show that all the KPSs considered in Section 0are simulatable. This construction 
is the first (V, .7^)-MBES whose security is proved formally. Furthermore, our 
technique can be generalized to many of the OTBES presented in 0. 

5.1 A Proposed Construction for (P, iF)-MBES 

Let (C/i, . . . , t/„, A) be a (P,.7^)-KPS. The TA distributes secret information 
ui, . . . , to the users in the same way as for the (P, 1F)-KPS. Let Q be a prime 
power such that \K\ \ Q — 1. Let g be a primitive |A|-th root of unity over 
GF{Q). All the participants agree on Q and g. Let 

M = (g) = {m \ m = g^ for some a;} 

If the TA wishes to send a message nip S M to a privileged set P GV, then the 
TA broadcasts 

bp = {g\mpg^’^n, 

where kp is the key of the (P,.F)-KPS for P and r is a random number. Each 
member of P can decrypt bp by using kp with the ElGamal cryptosystem. 

5.2 Security 

Let Up he a, Up G Up with Pr(t7i;’ = Up) > 0. We will show that the proposed 
construction is secure against chosen message attacks, in which the adversary 
can target privileged subsets of users adaptively. Informally these attacks are 
defined as follows. Fix a forbidden subset F (under the control of the adversary) 
arbitrarily. Suppose that F has obtained a broadcast bp of a privileged subset 
P, P F — Then F chooses several privileged subsets Pi and messages mp. 
adaptively, and can obtain from the TA, by using it as an oracle, the broadcast 

bpi, i = 

Definition 1. A (P,F)-MBES is secure against chosen (message, privileged 
subset of users) attacks if there is no probabilistic polynomial time algorithm 
(adversary) Aq such as follows. Give as input to Aq: 

Q,g,F G F,Up,P G V,bp = (g^,mpg^'^f) 

with Fr\P = 0. Aq then chooses Pi GV and mi G M adaptively, and sends these 
to the TA as a query for i = 1,2,...,/. The TA gives back bp^ = {g^fmp^g^'^’^i) 
to Aq. Finally, Aq outputs mp with non-negligble probability for all (F,P). 
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Definition 2. We say that the ElGamal cryptosystem is secure if there is no 
probabilistic polynomial time algorithm Ai which on input {Q, g,y, g'^ ,my'~) out- 
puts m with non-negligible probability, where r is a random number and y € (g). 

Definition 3. We say that a {V, IF) -KPS is simulatable if there is a probabilistic 
polynomial time algorithm (the simulator) B for which the following holds. On 
input {Q, g,y, P G V, F G T) with POF = %, B outputs up, g^’^i , ■ • ■ , g^^^ with 
probability 

= kp^, . . . ,Kp^ = kp,^,up = up \ Kp = kp), 

where y = g^^ and {Pi, Ph} = {Pi \ Pi G V, Pi P, Pi D F = ()}. 

Theorem 4. Suppose that a {V ,T)-KPS is simulatable. Then the {V ,T)-MBFS 
obtained by using this KPS in our construction is secure against chosen (mes- 
sage, privileged subset of users) attacks if the ElGamal cryptosystem is secure. 

Proof. Suppose that a {V, J^)-KPS is simulatable and that the proposed {V, F)- 
MBES is not secure against chosen (message, privileged subset of users) attacks. 
Then there is a simulator B for the (P,iF)-KPS, and an adversary Aq which 
breaks for P G P by controlling P G P for some P A F = %. 

We will describe a probabilistic polynomial time algorithm A\ which breaks 
the ElGamal cryptosystem by using Aq and B as subroutines. Let the input to 
Ai be {Q,g,y,g'' ,my^). Then there is a kp such that y = g^r. Ai works as 
follows. 

1. Ai gives {Q,g, y, P, F) to B. Then B outputs up, g^^^ ,.. . . 

2. Ai gives {Q,g,F,up,P,g^,my^) to Aq. 

3. Since Ai has , • . • , g^^>' , A\ can answer any query of Aq. 

4. Finally, Aq outputs m with non-negligible probability. 

Then A\ can output m with non-negligible probability. This is a contradiction. 

□ 



5.3 Simulatable (P,P)-KPSs 

In what follows, we assume that is polynomial in the length of Q for 

the Blundo et al. scheme, that ("7^) polynomial in the length of Q for 

the Fiat-Naor scheme, and that 2"“^ — 1 is polynomial in the length of Q for 
the Desmedt-Viswanathan scheme. 

Theorem 5. The Fiat-Naor scheme and the Desmedt-Viswanathan scheme are 
simulatable. 

Proof. We give a proof for the Fiat-Naor scheme. The proof for the Desmedt- 
Viswanathan scheme is obtained in a similar way. 
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We shall describe a simulator B whose input is {Q, g, y, P, F), where PDF = 
0. B chooses spi randomly for all Fi G T . From the B can obtain Up. 

Note that Sp ^ Up. On the other hand, 

kp = Sp = Sp + Sp (modg — 1) 

F:|F|<tu,FnP=0 F:F5^F,|F|<iD,FnF=0 



Therefore, 



y = = g^F . g^ F-.F^F ,\F\<w ,FnP=IH ^ 

g^F= y ^ g'^F-.F^F,lF\<m,FnP = (i ^ 

Thus B can compute g‘^f' which is consistent with kp such that y = g^^ . Then 
B can compute g^’^i for all Pi G V because B knows {sp \ F F, F G P} and 
g'^F. □ 

Definition 4. Let A = {ai^...i^ \ 0 < ii < w, . . . ,0 < it < w}. We say that A 
is symmetric if for any G A : for all permutations p of 

{ii---it). Furthermore, let 



W W 






’ ’ ’ X* 



it—0 

We say that f{x\, . . . ,Xt) is symmetric if is symmetric. 



Lemma 1. For given D = | 1 < ji < w + 1, . . . , 1 < jt < w + 1}, let 

10 + 1 10 + 1 

O'if-it = 

ii=i it=i 



A 



where [wij] = C ^ and 






Then 



(I 1 ... 1 \ 

1 2 ... w + l 



\1 2“' ... ++!)“/ 



10 10 



^ii, . jt — Qn-.-it Ji^ ■ ■ ■ jf ■ 



ii—0 it—0 

Furthermore, if D is symmetric, then is symmetric. 



Theorem 6. The Blundo et al. scheme is simulatable. 
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Proof. For simplicity, suppose that the input to the simulator B is 
F = {l,2,...,w}, P = {vi,...,vt}, y = g^^, Q, g. 

B first chooses a (dummy) symmetric polynomial 

W W 

f{xi,...,Xt) = ■■■ X! 

H — 0 2 t — 0 

randomly. Then up = (/(I, X 2 , ■ ■ ■ , Xt ), . . . , f(w, X 2 , ■ ■ • , Xt)). Next we consider 
a (real) symmetric polynomial 

W W 

fc{xi,...,Xt) = ■■■ X! ^ii-itX'f ■■■X\* ( 6 ) 

ii — 0 it—0 

such that fc{i,X2, ■ ■■ ,xt) = f{i,X2, . . . ,Xt) for 1 < i < w and /c(ui , . . . ,Vt) = 
kp. We first show that there exists such a polynomial fc- Let 

J = {{jl ■ ■ ■ jt) \ I < jl < W + 1, . . . ,1 < jt < w + 1} \ {(w + 1 - - • w + 1 )}. 

Then B can compute feji-.-jj = fc{ji, ■ ■ ■ ,jt) for all (ji ■ ■ ■ jt) C J by using up. 
Let c = fc{w + 1, . . . , rc + 1), where c is an unknown variable. From Lemma^ B 
can compute {ap...p} from {bj.^...j^} and c. Further, it is easy to see that ap...p 
has the form 

for some constants aij^...p and f3ij^...p. Then from eq. m, we have 

kp = fc(vi , . . . ,ut) = eo + eic 

for some constants Cq and Ci. This means that there exists such an f^. Now 

y = =/“(5 Tl 

Then Therefore B can compute u} from equation (Q. 

Finally B can compute for all Pi G V hy using equation 10) and u}. 

□ 

Corollary 6 . Suppose that the ElGamal cryptosystem is secure. The MBESs 
obtained from the Blundo et al. scheme, the Fiat-Naor scheme and the Desmedt- 
Viswanathan scheme by using our construction, are all secure against chosen 
(message, privileged subset of users) attacks. 

5.4 Generalization of Our MBES 

We can generalize the MBESs in Corollary 0 so that anyone can do broadcast 
encryption. In the Fiat-Naor based MBES, make each public. In the Blundo 
et al. based MBES, make each public, where is the coefficient of the 
symmetric polynomial /. Finally in the Desmedt-Viswanathan based MBES, 
make each 5 ^^ public. It can be proved that these modifications maintain the 
security. The details will be given in the final paper. 



432 



K. Kurosawa et al. 



References 

1. Blom, R.: An optimal class of symmetric key generation systems. Advances 
in Cryptology - EUROCRYPT ’84, Lecture Notes in Computer Science #209. 
Springer- Verlag (1985) 335-338 

2. Blundo, C., Cresti, A.: Space requirements for broadcast encryption, Advances 
in Cryptology - EUROCRYPT ’94, Lecture Notes in Computer Science #950. 
Springer- Verlag (1995) 287-298. 

3. Blundo, C., De Santis, A., Herzberg, A., Kutten, S., Vaccaro,U., Yung, M.: Per- 
fectly secure key distribution for dynamic conferences. Advances in Cryptology - 
CRYPTO ’92, Lecture Notes in Computer Science #740. Springer- Verlag (1993) 
471-486 

4. Blundo, C., Frota Mattos, L.A., Stinson, D.R.: Trade-offs between communication 
and storage in unconditionally secure schemes for broadcast encryption and inter- 
active key distribution. Advances in Cryptology - CRYPTO ’96, Lecture Notes in 
Computer Science #1109. Springer- Verlag (1996) 387-400 

5. Fiat, A., Naor, M.: Broadcast encryption. Advances in Cryptology - CRYPTO ’93, 
Lecture Notes in Computer Science #773. Springer- Verlag (1994) 480-491 

6. D.R. Stinson, On some methods for unconditionally secure key distribution and 
broadcast encryption. Designs, Codes and Cryptography, 12 (1997) 215-243 

7. Beimel, A., Chor, B.: Communication in key distribution schemes, IEEE Transac- 
tions on Information Theory, 42 (1996) 19-28 

8. Ludy, M., Staddon, J.: Combinatorial bounds for broadcast encryption. Advances 
in Cryptology - EUROCRYPT ’98, Lecture Notes in Computer Science #1403. 
Springer- Verlag (1998) 512-526 

9. Desmedt, Y., Viswanathan, V.: Unconditionally secure dynamic conference key 
distribution, IEEE, ISIT ’98 (1998) 

10. Matsumoto, T., Imai, H.: On the key predistribution systems: A practical solution 
to the key distribution problem. In: Pomerance, C. (ed): Advances in Cryptology 
- CRYPTO ’87, Lecture Notes in Computer Science #293. Springer- Verlag (1988) 
185-193 



Proof of Theorem El 

Our proof is a generalization of the proof in [3 Theorem 3.1]. 

Lemma 2. Let P and Q be distinct subsets of {1, 2, . . . , n}. 
LetF={l,2,...,n}\Q. If \Q\ < \P\, then 

FC\P^th 

Proof. First, suppose that \Q\ < jPj. If F 0 P = 0, then 

n > |P U P| = jPj -b jPj = n - IQI -b jPj > n. 

This is a contradiction. Therefore, P fl P # 0. 

Next, suppose that |Q| = jPj. If P n P = 0, then 



|PUP| = |P| + |P| =n - |Q| + |P| =n. 
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Therefore, 

This means that P = Q 
FnPy^$. 



Proof of Theorem |2l 



F = {l,2,...,n}\P. 

{1, 2, . . . , n} \ P. This is a contradiction. Hence, 

□ 



For simplicity, we give a proof for | t/i | . Take 

P={P| IGPGP, {l,2,...,n}\PGP}. 

Let I = Si = |P| and let P = {Pi, P 2 , . . . , Pi}, where |Pi| > IP 2 I > • • • > \Pi\. 
Let u = (ui, . . . , Un) be a vector of secret information of the users such that 

Pr[P(7 = It] > 0. 

We define Up similarly. 

For all ki G Kp^, for all F such that Pi fl Pi = 0 and for all up, 

Pr[Kp, = ki\Up = Up] = Pt[Kp, = ki] > 0, 

from equation 0. Therefore, for all k\ £ Kp-^ there is a m = (ui, . . . , u„) such 
that the key of Pi reconstructed from tt is k\. Now let k = (fci , . . . ,ki) be any 
vector in Kp^ x • • • x Kp,. We claim that there is a it such that the key of Pi 
reconstructed from u is ki for 1 <i <1. 

Suppose that our claim is false. Let h{< 1) be the maximum index such that 
the keys of {Pi} are {ki , . . . , kh~i,k }, . . . , k[) by some u, where k{ ^ kh- Then 
2 < h from our discussion. Let 

Fh = {l,2,...,n}\Ph. 

Then from Lemma 13 (let Q = Pj, and P = Pi), 

P/i n Pi 0 for 1 < i < /i — 1. (8) 

Let up,^ be a subvector of u which corresponds to Fh- Then up,^ can compute 
ki, ... , kh_i from equation (0. Suppose that 

Pr[PTph = kh\Up,^ = itFh] > 0. 

This means that there exists a u such that the keys are k\, ... , kh-i, kh. This 
contradicts the maximality of h. Therefore, 

= kh\Up^ = up^] = 0. 

However, this is against eq. (0. 

Hence, for any k G iFpi x ■ ■ ■ x Kp,, there exists a u such that the keys are k. 
Remember that user 1 is included in any Pi from our definition of P. It follows 
that Ui must be distinct for each k. Therefore, 

|C/i|>|ifpJx...x|i^p,| = |i^|'. 



Hence, 



log|Pi| > nog|iF| = 5ilog|PT|. 
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